Your blacklist should be formed by different sources. For more information on reliable sources of blacklist and automatic maintenance, you may refer to my post: How to Maintain Blacklist for IPTables Automatically
In this post, there're three major steps to batch block all IP addresses in a blacklist with IPTables:
- Create a new chain in IPTables for blacklist.
- Maintain an IP blacklist file.
- Create an executable script to feed the blacklist into IPTables.
- Create a new chain called BLACKLIST
- Insert the chain at the top (first) position of the default chain INPUT
- See the content of the chain BLACKLIST It's empty as expected.
- Try to add a banned IP into the chain.
- See the content of the chain BLACKLIST in numeric form The IP has been added
- See the content of the chain BLACKLIST in literal form
- If you don't want the new rules in chain BLACKLIST, you can flush all rules out
- If you wan to keep the new chain and rules, you can persist it into IPTables
[root@test ~]# iptables -N BLACKLIST
[root@test ~]# iptables -I INPUT 1 -j BLACKLIST
[root@test ~]# iptables -L BLACKLIST
Chain BLACKLIST (1 references)
target prot opt source destination
[root@test ~]# iptables -A BLACKLIST -s 37.59.41.169/32 -j DROP
[root@test ~]# iptables -L BLACKLIST -n
Chain BLACKLIST (1 references)
target prot opt source destination
DROP all -- 37.59.41.169 0.0.0.0/0
[root@test ~]# iptables -L BLACKLIST
Chain BLACKLIST (1 references)
target prot opt source destination
DROP all -- ks3002108.kimsufi.com anywhere
[root@test ~]# iptables -F BLACKLIST
[root@test ~]# iptables-save | tee /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Jun 24 19:18:25 2014
*filter
...
:BLACKLIST - [0:0]
-A INPUT -j BLACKLIST
...
- Create and maintain an IP blacklist file like this:
[root@test ~]# cat /path/to/blacklist
# Listed in CBL
37.59.41.169
# Malicious Visitors
203.0.113.0/24
10.123.123.123
You can have comment lines or blank lines to divide several kinds of IP. The format of IP addresses must follows Classless Inter-Domain Routing (CIDR).
A better practice to maintain the blacklist automatically can be found at:
How to Maintain Blacklist for IPTables Automatically
- Compose a script file called /path/to/add_blocked_ip.sh
- Don't forget to make it executable
- Execute the script file
- Let's see the current configuration
[root@test ~]# vi /path/to/add_blocked_ip.sh
#!/bin/bash
# Set all variables for your own needs
BASE=/sbin/iptables
IPLT=/path/to/blacklist
CONF=/etc/sysconfig/iptables
# Empty the chain BLACKLIST before adding rules
$BASE -F BLACKLIST
# Read $IPLT and add IP into IPTables one by one
/bin/egrep -v "^#|^$|:" $IPLT | sort | uniq | while read IP
do
$BASE -A BLACKLIST -s $IP -j DROP
done
# Save current configuration to file
$BASE-save > $CONF
[root@test ~]# chmod u+x /path/to/add_blocked_ip.sh
[root@test ~]# /path/to/add_blocked_ip.sh
[root@test ~]# iptables -L BLACKLIST -n
Chain BLACKLIST (1 references)
target prot opt source destination
DROP all -- 37.59.41.169 0.0.0.0/0
DROP all -- 203.0.113.0/24 0.0.0.0/0
DROP all -- 10.123.123.123 0.0.0.0/0