Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
Can iptables read from a file the list of IP or MAC addresses that are supposed to be allowed to connect or not to connect to the server? For example, if I have 100 MAC addresses, do I need to repeat the following command 100 times?
Code:
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source "MAC Address" -j ACCEPT
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,803
Rep:
Quote:
Originally Posted by Jason.nix
Hello,
Can iptables read from a file the list of IP or MAC addresses that are supposed to be allowed to connect or not to connect to the server? For example, if I have 100 MAC addresses, do I need to repeat the following command 100 times?
Code:
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source "MAC Address" -j ACCEPT
Write a bash script that accepts the list of IP addresses (or MAC addresses) and loops through the list to execute the iptables command for each.
ipset is the right tool for this. Example snippets from a script I have:
Code:
ipset create blocklist hash:net family inet hashsize 64 maxelem 512
ipset add blocklist 8.0.0.0/8
ipset list blocklist
ipset -f /etc/ipset/blocklist.ipset save
ipset -f /etc/ipset/blocklist.ipset restore
...
# Color codes for fancy output.
RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m'
test -f /etc/ipset/blocklist.ipset && {
printf "${GREEN}[+] Log/blocking networks from the general blocklist.${NC}\\n"
ipset -exist -file /etc/ipset/blocklist.ipset restore
iptables -A INPUT -m set --match-set blocklist src -m limit -j LOG --log-level 7 --log-prefix "Ipset blocklist: "
iptables -A INPUT -m set --match-set blocklist src -j DROP
}
See the documentation for ipset. It's made for this use, instead of 100's of iptables rules. I default allow, and only block abusive hosts, but you can do it the other way as well.
ipset is the right tool for this. Example snippets from a script I have:
Code:
ipset create blocklist hash:net family inet hashsize 64 maxelem 512
ipset add blocklist 8.0.0.0/8
ipset list blocklist
ipset -f /etc/ipset/blocklist.ipset save
ipset -f /etc/ipset/blocklist.ipset restore
...
# Color codes for fancy output.
RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m'
test -f /etc/ipset/blocklist.ipset && {
printf "${GREEN}[+] Log/blocking networks from the general blocklist.${NC}\\n"
ipset -exist -file /etc/ipset/blocklist.ipset restore
iptables -A INPUT -m set --match-set blocklist src -m limit -j LOG --log-level 7 --log-prefix "Ipset blocklist: "
iptables -A INPUT -m set --match-set blocklist src -j DROP
}
See the documentation for ipset. It's made for this use, instead of 100's of iptables rules. I default allow, and only block abusive hosts, but you can do it the other way as well.
Hi,
Thank you so much for your reply.
When your IP addresses are not in the same range, then this script is not useful!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.