iptables and a list of addresses

Jason.nix · 02-08-2024, 03:52 PM

Hello,
Can iptables read from a file the list of IP or MAC addresses that are supposed to be allowed to connect or not to connect to the server? For example, if I have 100 MAC addresses, do I need to repeat the following command 100 times?

Code:

# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source "MAC Address" -j ACCEPT

Thank you.

rnturn · 02-08-2024, 05:02 PM

Quote:

Originally Posted by Jason.nix

Hello,
Can iptables read from a file the list of IP or MAC addresses that are supposed to be allowed to connect or not to connect to the server? For example, if I have 100 MAC addresses, do I need to repeat the following command 100 times?

Code:

# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source "MAC Address" -j ACCEPT

Write a bash script that accepts the list of IP addresses (or MAC addresses) and loops through the list to execute the iptables command for each.

Hope this helps...

Jason.nix · 02-10-2024, 05:50 AM

Quote:

Originally Posted by rnturn

Write a bash script that accepts the list of IP addresses (or MAC addresses) and loops through the list to execute the iptables command for each.

Hope this helps...

Hello,
Thank you so much for your reply.
I found a script by searching on google and modified it as below:

Code:

for MAC in 'cat mac_addresses_file'; do

  **iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source $MAC -j ACCEPT**

Is it correct?

jayjwa · 02-11-2024, 01:45 PM

ipset is the right tool for this. Example snippets from a script I have:

Code:

ipset create blocklist hash:net family inet hashsize 64 maxelem 512  
ipset add blocklist 8.0.0.0/8                                        
ipset list blocklist                                                 
ipset -f /etc/ipset/blocklist.ipset save                             
ipset -f /etc/ipset/blocklist.ipset restore

...

# Color codes for fancy output.
RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m'

test -f /etc/ipset/blocklist.ipset && {
		printf "${GREEN}[+] Log/blocking networks from the general blocklist.${NC}\\n"
		ipset -exist -file /etc/ipset/blocklist.ipset restore
		iptables -A INPUT -m set --match-set blocklist src -m limit -j LOG --log-level 7 --log-prefix "Ipset blocklist: "
		iptables -A INPUT -m set --match-set blocklist src -j DROP
}

See the documentation for ipset. It's made for this use, instead of 100's of iptables rules. I default allow, and only block abusive hosts, but you can do it the other way as well.

Jason.nix · 02-12-2024, 04:51 AM

Quote:

Originally Posted by jayjwa

ipset is the right tool for this. Example snippets from a script I have:

Code:

ipset create blocklist hash:net family inet hashsize 64 maxelem 512  
ipset add blocklist 8.0.0.0/8                                        
ipset list blocklist                                                 
ipset -f /etc/ipset/blocklist.ipset save                             
ipset -f /etc/ipset/blocklist.ipset restore

...

# Color codes for fancy output.
RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m'

test -f /etc/ipset/blocklist.ipset && {
		printf "${GREEN}[+] Log/blocking networks from the general blocklist.${NC}\\n"
		ipset -exist -file /etc/ipset/blocklist.ipset restore
		iptables -A INPUT -m set --match-set blocklist src -m limit -j LOG --log-level 7 --log-prefix "Ipset blocklist: "
		iptables -A INPUT -m set --match-set blocklist src -j DROP
}

See the documentation for ipset. It's made for this use, instead of 100's of iptables rules. I default allow, and only block abusive hosts, but you can do it the other way as well.

Hi,
Thank you so much for your reply.
When your IP addresses are not in the same range, then this script is not useful!

Jason.nix · 02-12-2024, 10:44 AM

Hello,
How can I make it possible to create only one session from each MAC address?

Thank you.

jayjwa · 02-12-2024, 12:39 PM

Quote:

When your IP addresses are not in the same range, then this script is not useful!

Not true. That's just the example.

Code:

su -c 'ipset list blocklist'
Password: 
Name: blocklist
Type: hash:net
Revision: 7
Header: family inet hashsize 64 maxelem 512 bucketsize 12 initval 0xb5dfcf22
Size in memory: 1608
References: 2
Number of entries: 27
Members:
194.165.16.10
45.129.14.99
80.94.92.241
193.42.33.7
185.225.75.182
164.92.106.15
85.217.144.82
13.40.5.44
194.165.16.73
147.78.103.108
37.139.129.238
91.92.244.201
103.219.154.96
165.227.214.182
194.165.16.76
91.92.242.137
165.227.110.45
93.112.20.159
87.120.84.80
94.23.30.184
195.133.40.42
194.87.151.143
84.54.50.104
87.121.221.75
195.178.120.5
194.33.191.197
87.120.84.30

You can manually add them to the text file blocklist, use the ipset add command, or work ipset add into a script.

Jason.nix · 02-14-2024, 11:57 AM

Quote:

Originally Posted by jayjwa

Not true. That's just the example.

Code:

su -c 'ipset list blocklist'
Password: 
Name: blocklist
Type: hash:net
Revision: 7
Header: family inet hashsize 64 maxelem 512 bucketsize 12 initval 0xb5dfcf22
Size in memory: 1608
References: 2
Number of entries: 27
Members:
194.165.16.10
45.129.14.99
80.94.92.241
193.42.33.7
185.225.75.182
164.92.106.15
85.217.144.82
13.40.5.44
194.165.16.73
147.78.103.108
37.139.129.238
91.92.244.201
103.219.154.96
165.227.214.182
194.165.16.76
91.92.242.137
165.227.110.45
93.112.20.159
87.120.84.80
94.23.30.184
195.133.40.42
194.87.151.143
84.54.50.104
87.121.221.75
195.178.120.5
194.33.191.197
87.120.84.30

You can manually add them to the text file blocklist, use the ipset add command, or work ipset add into a script.

Hi,
Thanks again.
You used IP range 8.0.0.0/8.