Re: iptables -> refuse/grant access from ip's in a file

From: Sandman (mr_at_sandman.net)
Date: 02/03/04

  • Next message: Andreas Tretow: "Re: Linuxconf & The Like" 
    Date: Tue, 03 Feb 2004 13:34:54 +0100

    In article <pan.2004.02.03.05.14.13.952145@mailinator.com>,
     John <john@mailinator.com> wrote:

    > > 1. It need to take wildcards, either by above (192.64.* or by omission,
    > > 194.64)
    > > to let entire subnets in or out.
    > >
    > > 2. It would be good if it was "live", so I only had to alter FileB.txt to
    > > block
    > > a user and FileA.txt to grant access to a subnet.
    > >
    > > 3. It should work both over udp and tcp.
    >
    > Yes, you can. If you're just asking for something simple, such as a known
    > "blacklist" and "whitelist" at bootup, it's actually very easy with a
    > shell script. It might contain code that looks something like the
    > following:
    >
    > for ipaddr in `cat /etc/blacklist 2>/dev/null`; do
    > iptables -A INPUT -j DENY -s $ipaddr --dport $port
    > done
    > for ipaddr in `cat /etc/whitelist 2>/dev/null`; do
    > iptables -A INPUT -j ACCEPT -s $ipaddr --dport $port
    > done
    >
    > You can either modify /etc/init.d/iptables or set it as a separate init
    > script to run _after_ /etc/init.d/iptables. The iptables man page will
    > tell you what you need to know about the format of the ip addresses and
    > other neat options.
    >
    > If you need to alter this on a running machine, you might make your script
    > smarter, say implementing a separate chain that can easily be reset by
    > rerunning the script. You can do this manually after updating the file,
    > or write a simple cron script to monitor the mtime on the file, or write a
    > daemon to continuously monitor file changes.

    Ok, this much I suspected was possible. Allthough I feel the gotchas 1 and 2
    aren't really delt with here... 

    -- 
Sandman[.net]
  • Next message: Andreas Tretow: "Re: Linuxconf & The Like"

    Relevant Pages

    • Re: iptables -> refuse/grant access from ips in a file
      ... > to let entire subnets in or out. ... You can either modify /etc/init.d/iptables or set it as a separate init ... script to run _after_ /etc/init.d/iptables. ... daemon to continuously monitor file changes. ...
      (linux.redhat.misc)
    • RE: Create multiple AD Subnets
      ... With the script, I use the iniobj.dll to call ini files. ... Dim oSite, oADSite, oADsServers, oADsNTDS, oADsLicensing ... Ok those are the parts that I use for both the Sites and the subnets. ...
      (microsoft.public.windows.server.scripting)
    • Re: Time Zone Settings at Boot Up
      ... Apply the policy at SITE level so the script will apply ... I would also need to define within the script all my subnets or DC's ... > with their associated time zone. ...
      (microsoft.public.win2000.active_directory)
    • Re: Time Zone Settings at Boot Up
      ... > Apply the policy at SITE level so the script will ... I would also need to define within the script all my subnets or DC's ... >> with their associated time zone. ... >>> Test our new EventReader beta! ...
      (microsoft.public.win2000.active_directory)
    • Re: Ping multiple subnets
      ... Find the correct syntax, execute it with a script, run the output to a file, ... Is there a way to ping all subnets? ... Sub PingPC ... 10.20.0.0/16 as the network ID. ...
      (microsoft.public.scripting.wsh)