On Wed, 05 Mar 2003, tzz@lifelogs.com wrote:
> I wrote this little script to block out IPs in the ranges specified
> in some blacklists (see URL list in the script) by rewriting
> /etc/sysconfig/iptables, but perhaps it will be useful for other
> purposes as well. I would appreciate suggestions for improvements,
> or notes on how I'm doing it all wrong :)
>
> The marker I use to detect lines previously generated by this
> program is "-i+" (all interfaces), which is redundant and thus not
> specified normally. I couldn't find another way to easily mark
> lines without actually generating a new chain, which was more time
> than I wanted to spend writing this script...
Oops, apparently "-i+" does not work properly (I must have had the old
rules in place when I was testing). Patch attached to make it use
"-i e+" instead. Sorry.
Ted
Index: rewrite-iptables.pl
===================================================================
RCS file: /usr/home/lifelogs/cvsroot/articles/snippets/rewrite-iptables.pl,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- rewrite-iptables.pl 5 Mar 2003 16:05:44 -0000 1.3
+++ rewrite-iptables.pl 6 Mar 2003 11:15:31 -0000 1.4
@@ -30,7 +30,7 @@
# printf ("%s/%s\n", $_->base, $_->size) foreach @ranges;
};
-if (m/-i\+ -j REJECT$/)
+if (m/-i e\+ -j REJECT$/)
{
# don't print anything (remove the old range)
}
@@ -44,7 +44,7 @@
$line = $_; # save in case $_ gets corrupted
if ($chainfound)
{
- printf ("$chainfind -s %s/%s -i+ -j REJECT\n", $_->base, $_->bits) foreach @ranges;
+ printf ("$chainfind -s %s/%s -i e+ -j REJECT\n", $_->base, $_->bits) foreach @ranges;
}
print $line;
