1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

shell scripting: iptables - what am I doing wrong

Discussion in 'General PHP and MySQL Discussions' started by EQnoble, Jul 10, 2011.

  1. EQnoble

    EQnoble Well-Known Member

    I have been trying to block access to a server from a whole bunch of country's server blocks that I know to be owned & or operated by people I don't want hitting my server from those ips. Manually adding them as I discover the blocks that they pick up has become a PITA lemme tell you...so my solution was to try and make a .sh script to execute that would add all the blocks of ips which I have grabbed and turned into iptables commands using some macros.

    This is an example of a line in my script:
    Code:
    iptables -A INPUT -s xxx.xxx.xxx.0/23 -j DROP  
    I have also tried....
    Code:
    iptables="/sbin/iptables"
    
    iptables -A INPUT -s x.x.x.0/24 -j DROP
    iptables -A INPUT -s x.x.x.0/23 -j DROP
    iptables -A INPUT -s x.x.x.0/21 -j DROP
    iptables -A INPUT -s x.x.x.0/19 -j DROP
    
    What am I doing wrong or can this even be done??? Please oh please help me.
     
  2. ibnesayeed

    ibnesayeed Well-Known Member

    If these individual commands work fine from command line then there should be no issue using shell script. Make sure that you are running the script under "sudo" privilege. You may also try using UFW instead of iptables. Also, best practice is to put shell executable path as magic comment in the beginning of the file. You may also try running these commands using Perl or any other language using exec() or system() functions. :)
     
    EQnoble likes this.
  3. EQnoble

    EQnoble Well-Known Member

    Thanks for all that info...I have a lot of reading to do apparently...:)

    Could you explain path as magic comment thing?

    Well they do work from CLI but when I try setting up the script and executing it I get errors no matter what I try....been trying for hours now. :-/
     
  4. ibnesayeed

    ibnesayeed Well-Known Member

    Code:
    #!/bin/bash
    or

    Code:
    #!/usr/bin/env bash
    is what i referred as magic comment. This will make your script more portable. It will direct the machine, how to execute the script. People call it "Shebang". I call it magic comment because it is actually a comment which is being interpreted by machine. Although, before actual execution, these comments might be removed in the pre-processing phase of the compiler. There are more such meaningful comments in some languages. E.g. in Ruby if you use UTF-8 characters in the program itself then it is better to declare encoding as a magic comment in the beginning of the script. :)
     
    EQnoble likes this.
  5. EQnoble

    EQnoble Well-Known Member

    Well now that I still can't make it work I'm all sorts of pissed off that I wasted so much time trying to get this script working and not getting some addons finished.

    Thanks ibnesayeed but I need to take a damn break from this for now before I lose my mind. :)
     
  6. Floris

    Floris Guest

    What is the error you're getting though? ..

    This is the syntax I am using:

    iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP

    and extended, using -A flag,

    iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j REJECT --reject-with tcp-reset

    Some additional info;

    http://www.cyberciti.biz/tips/how-do-i-drop-or-block-attackers-ip-with-null-routes.html

    find out where your "bash" is,

    nano -w yourshell.sh
    #!/path/to/bash

    #your commands below this line

    control +x to save/exit

    chmod 755 yourscript.sh

    ./yourscript.sh
     
    EQnoble likes this.
  7. EQnoble

    EQnoble Well-Known Member

    Just woke up but as soon as I am more awake I will try I am sure that you solved my problem..

    iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP this works for me in cli but I get errors using it in a script... either A not valid or drop is an invalid target.

    I think your simplest example may work for me iptables -I INPUT xxx.xxxx.xxx.xxx -j DROP


    I will give it a whirl when I am more part of the world here.

    Thanks Floris
     
    Floris likes this.

Share This Page