[ale] Easy way to add and delete iptables rules
Alex Carver
agcarver+ale at acarver.net
Fri Aug 26 17:08:08 EDT 2016
On 2016-08-26 05:58, Chris Fowler wrote:
>
>
> --------------------------------------------------------------------------------
>
> *From: *"Alex Carver" <agcarver+ale at acarver.net>
> *To: *ale at ale.org
> *Sent: *Thursday, August 25, 2016 11:48:44 PM
> *Subject: *Re: [ale] Easy way to add and delete iptables rules
>
> I would actually do something entirely different and use ipsets and the
> PREROUTING chain.
>
> Set up a new chain:
>
> iptables -N bad_test_scores
> iptables -A bad_test_scores -m set --match-set badtestscores src -j LOG
> --log-prefix="bad test score:"
> iptables -A bad_test_scores -m set --match-set badtestscores src -j REJECT
> iptables -A PREROUTING -j bad_test_scores
>
>
> I may be missing something
>
> root at debian:/tmp# /tmp/t.sh
> + iptables -N bad_test_scores
> + iptables -A bad_test_scores -m set --match-set badtestscores src -j LOG
> --log-prefix='bad test score:'
> + iptables -A bad_test_scores -m set --match-set badtestscores src -j REJECT
> + iptables -A PREROUTING -j bad_test_scores
> iptables: No chain/target/match by that name.
>
Actually, looking at it now it may be that you don't have the ipset hash
table created yet so it's complaining.
I also forgot that part. You need to create the ipset first:
ipset create badtestscores hash:net family inet hashsize 1024 maxlen 16384
I have this all scripted on some machines. The script that restores the
iptables rules calls ipset with its own restore command which will
create the hash table and then populate it with some already defined
data. in your case the ipset restore file is going to only be a
"create" line. After ipset is done, iptables can do its restore.
Once the hash table is set, you use the add/del commands as I wrote
previously.
More information about the Ale
mailing list