Hello, * Gary & Mic McFall <nutbrownhares@xxxxxxx> 15. Sep 04: > To be proactive, we want to automate that process via iptables & the > CSV available at <http://ip-to-country.webhosting.info>. I am very suspicious to configure packet filters with external (untrusted) data. > We have created a C program (IPCheck) in the /bin directory Maybe it should go to /usr/local/bin/... anyway. > We want to process the packet based on that return. Make it to return 0 for bad and !0 for 'good' IP#s. > I'm a relative newbie with iptables & scripts. <URL:http://iptables-tutorial.frozentux.net/iptables-tutorial.html> > Listed below is some very crude code, Aah... yes. > Any suggestions on how to shore this up so that it will work? # You need to create the userdefined chain bevor using it: $IPT -N INBADIPS > # ***** DROP BAD IPS ***** > /bin/IPCheck `grep -w "SRC =" | cut -d = -f 2` # What are you going to use as input? This grep needs a source to # parse. Will it result in a list of IP#s? I assume a single $IP. > if return = "Bad IP" > $IPT -A INPUT -$ETH0 $RATELIMIT -j INBADIPS # This will not work. Use: if /usr/local/bin/IPCheck $IP then $IPT -A INPUT -i eth0 -s $IP -j INBADIPS fi # What do you mean with $RATELIMIT? Are you looking for # <URL:http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TABLE.LIMITMATCH>? > ***** RULES - DROP BAD IPS ***** > # ***** REVIEW LOG AT /var/log/iptables.log ***** > $IPT -A INBADIPS -j LOG --log-level debug --log-prefix "BADIP: " -j DROP # You can't have to targets in a rule. Split it: $IPT -A INBADIPS -j LOG --log-level debug --log-prefix="BADIP: " $IPT -A INBADIPS -j DROP Some questions you should ask yourself: + Is this a gateway? Should it go to FORWARD? + Will IP#s stay for ever at blacklist? How and when to remove them? + Is this really what you want? Hope I understood you, regards, Frank. -- Sigmentation fault
