shell scripting: iptables - what am I doing wrong

EQnoble

Well-known member
I have been trying to block access to a server from a whole bunch of country's server blocks that I know to be owned & or operated by people I don't want hitting my server from those ips. Manually adding them as I discover the blocks that they pick up has become a PITA lemme tell you...so my solution was to try and make a .sh script to execute that would add all the blocks of ips which I have grabbed and turned into iptables commands using some macros.

This is an example of a line in my script:
Code:
iptables -A INPUT -s xxx.xxx.xxx.0/23 -j DROP

I have also tried....
Code:
iptables="/sbin/iptables"

iptables -A INPUT -s x.x.x.0/24 -j DROP
iptables -A INPUT -s x.x.x.0/23 -j DROP
iptables -A INPUT -s x.x.x.0/21 -j DROP
iptables -A INPUT -s x.x.x.0/19 -j DROP

What am I doing wrong or can this even be done??? Please oh please help me.
 
If these individual commands work fine from command line then there should be no issue using shell script. Make sure that you are running the script under "sudo" privilege. You may also try using UFW instead of iptables. Also, best practice is to put shell executable path as magic comment in the beginning of the file. You may also try running these commands using Perl or any other language using exec() or system() functions. :)
 
If these individual commands work fine from command line then there should be no issue using shell script. Make sure that you are running the script under "sudo" privilege. You may also try using UFW instead of iptables. Also, best practice is to put shell executable path as magic comment in the beginning of the file. You may also try running these commands using Perl or any other language using exec() or system() functions. :)
Thanks for all that info...I have a lot of reading to do apparently...:-)

Could you explain path as magic comment thing?

Well they do work from CLI but when I try setting up the script and executing it I get errors no matter what I try....been trying for hours now. :-/
 
Code:
#!/bin/bash

or

Code:
#!/usr/bin/env bash

is what i referred as magic comment. This will make your script more portable. It will direct the machine, how to execute the script. People call it "Shebang". I call it magic comment because it is actually a comment which is being interpreted by machine. Although, before actual execution, these comments might be removed in the pre-processing phase of the compiler. There are more such meaningful comments in some languages. E.g. in Ruby if you use UTF-8 characters in the program itself then it is better to declare encoding as a magic comment in the beginning of the script. :-)
 
Well now that I still can't make it work I'm all sorts of pissed off that I wasted so much time trying to get this script working and not getting some addons finished.

Thanks ibnesayeed but I need to take a damn break from this for now before I lose my mind. :-)
 
What is the error you're getting though? ..

This is the syntax I am using:

iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP

and extended, using -A flag,

iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j REJECT --reject-with tcp-reset

Some additional info;

http://www.cyberciti.biz/tips/how-do-i-drop-or-block-attackers-ip-with-null-routes.html

find out where your "bash" is,

nano -w yourshell.sh
#!/path/to/bash

#your commands below this line

control +x to save/exit

chmod 755 yourscript.sh

./yourscript.sh
 
What is the error you're getting though? ..

This is the syntax I am using:

iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP

and extended, using -A flag,

iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j REJECT --reject-with tcp-reset

Some additional info;

http://www.cyberciti.biz/tips/how-do-i-drop-or-block-attackers-ip-with-null-routes.html

find out where your "bash" is,

nano -w yourshell.sh
#!/path/to/bash

#your commands below this line

control +x to save/exit

chmod 755 yourscript.sh

./yourscript.sh

Just woke up but as soon as I am more awake I will try I am sure that you solved my problem..

iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP this works for me in cli but I get errors using it in a script... either A not valid or drop is an invalid target.

I think your simplest example may work for me iptables -I INPUT xxx.xxxx.xxx.xxx -j DROP


I will give it a whirl when I am more part of the world here.

Thanks Floris
 
Top Bottom