All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
iptables: Banning IPs from .txt file & adding them 'on the fly' ?
I run a gameserver and every now and then I have to deal with cheaters. For some reason these clowns manage to either nullify or spoof their GUIDs so that I cannot ban them the normal way. Therefore I have to ban their IPs and hope that they are retarded enough not to use a VPN or have a dynamic IP.
To do so I'm using iptables, with the following command:
iptables -A INPUT -s XXX.XXX.XXX.XXX -p udp -m udp --dport 28960:28965 -j DROP
However, I also want to give my friends the opportunity to ban cheaters when I'm not online. Therefore I'm looking for some sort of way/script to ban IP's.
Personally, I was thinking of storing IPs in an .txt file which I can have my friends edit using OneFileCMS or something. Then some cronjob should issue a script every minute so that these new IPs will be added to the firewall. My problem is however, how do I recursively load IPs from another file into iptables using the command above?
If you guys have any other suggestions I would love to hear them as well
Thanks!
Comments
create a web script (PHP) that only they have access to, to allow them to directly add an IP to your blacklist
With PHP, an extremely basic process is:
Where do_stuff would operate on each line, referenced as $line[$line_num].
http://www.lowendtalk.com/discussion/4185/sshcheck.php-blocking-ssh-bruteforce-attempts-against-client-vps-containers is a script I wrote that could potentially be used as a basis.
Iptables has a line option, if you knew that these rules would always be inserted after line 12, you could do something like
or
Please forgive my bad wiki kung fu.
Read file lines, run a foreach loop, then just do if remote addr is in the list, then redirect it to a blocked page or something(PHP).
iptables-restore data.txt
http://configserver.com/cp/csf.html
file="/path/to/file.txt"
existing_drop=$(iptables -L INPUT -n | grep DROP | grep 28965 | awk '{print $4}' | xargs)
new_drop=$(cat $file | egrep -v '$existing_drop' | xargs)"
for dropip in $new_drop; do iptables -A INPUT -s $dropip -p udp -m udp --dport 28960:28965 -j DROP; done
Con: does not automatically remove IPs - needs at least 1 (fake) IP dropped all the time, else it does not work
@Freek i have sent you a PM
Simple shell script
for a cron job based one with a txt file you can
Thanks for all the replies guys, appreciate it!
@gubbyte @curtisg That's the idea, sadly my scripting skills are very limited. Hence I'm asking for pointers i.e. examples here
@Damian I took a look at your other script but I can't seem to find exactly where the 'magic' is happening. The email stuff takes up a large part of the script.
do_stuff is where the magic is supposed the happen, right?
@flrichar I don't quite understand how this can be used in my situation?
Lol, really, that easy? And what about duplicates? For example if I add this command as a cronjob and run it every minute, will it add the previous ones as well?
@jarland I think csf is a bit overkill for what I'm trying to achieve.
@William what do you mean by 'does not automatically remove IPs' ? Also a fake IP is no problem.
@joodle replied!
@AnthonySmith Wow, thanks! I'm looking for a cron based one, as my friends do not have/get access to SSH.
I'm a bit confused by your script. The first line says 'while read ipban'. What does ipban do in that sentence? The file is supposed to be named file.txt, right?
I see it removes the file afterwards to prevent duplicates. That's great, but if I restart the server, all IPs are gone, right?
Thanks!
@Freek My point was just that, given a script, you can insert/append the iptables rules wherever you wanted. You could wipe out the entire list (using line numbers) or perhaps have a separate chain just for new ip addresses. Like perm-banned and temp-banned, etc.
ipban just represents the variable which is the IP, it could say beans or flurbleburb
what it does in simple terms is say, while reading ipban (ipban being the variable) do the following, it is 'done' when it has finished going through your txt file line by line, each line it reads becomes $ipban
the txt file can be names what ever you want just update the script accordingly, that is correct though you should really save your iptables, to get around that you could use this instead.
Then on start up after a reboot you can just do
cat /root/perm-ban-list.txt > /path/to/your/file.txt
Its a little manual but you could build on it, if you need a hand with any simple scripts like this you can always drop me a PM.
@AnthonySmith wins!
@Freek
little php script i just put together as an example(not best method, but easy one):
http://pastebin.com/S2rWuhK1
It's really pretty small, easy to configure, has a web interface.
Csf a web interface? Sweeeeet. Only worked in cli so far.
I think using IPset(http://ipset.netfilter.org/) module to ban thousands of IPs dynamically is much more better than pure-iptables commands.
if your iptables has xt_recent module, and you dont have to ban by subnet,
-A INPUT -m recent --name BAN --rcheck -j DROP
and
echo "+1.2.3.4" > /proc/net/xt_recent/BAN
will do without on the fly iptables rules.
why not make it a little easier with CSF as you can add it into a .txt to ban I believe with CSF.
@AnthonySmith indeed wins! Anthony and I discussed the script over email and Anthony has made some improvements. The latest and final version can be found here:
http://pastebin.com/4JEbN28m
Thanks once again Anthony, It works flawlessly !
I also wrote about it here
http://www.lowendguide.com/scripts/easy-add-ip-to-be-blocked-by-iptables/
I would run some sanity checks on the .txt - lots of opportunities for shell mischief.
Also make sure someone doesn't put the server's IP in...
Also make sure someone doesn't put the server's IP in...
True, true. But still does the job I need it for.