[ale] Easy way to add and delete iptables rules

James Sumners james.sumners at gmail.com
Fri Aug 26 09:18:39 EDT 2016


This is great. I had no idea `ipset` exists. And it looks like it has been
backported to RHEL 6; I see some firewall re-writing in my future.

On Thu, Aug 25, 2016 at 11:48 PM, Alex Carver <agcarver+ale at acarver.net>
wrote:

> I would actually do something entirely different and use ipsets and the
> PREROUTING chain.
>
> Set up a new chain:
>
> iptables -N bad_test_scores
> iptables -A bad_test_scores -m set --match-set badtestscores src -j LOG
> --log-prefix="bad test score:"
> iptables -A bad_test_scores -m set --match-set badtestscores src -j REJECT
> iptables -A PREROUTING -j bad_test_scores
>
> The PREROUTING chain is ahead of the decision point to traverse FORWARD
> or INPUT.  It will catch that IP so you don't need an additional squid
> entry.
>
>
>
> Then separately use ipset to add your IPs:
>
> ipset add badtestscores ${IP}
>
> or remove them:
>
> ipset del badtestscores ${IP}
>
>
> This part you can script with MQTT or similar and you won't have to
> touch iptables after the above setup.  Just remember to properly
> sanitize your input.
>
> On 2016-08-25 18:48, Chris Fowler wrote:
> > I'm trying to figure out the best way to add and remove iptables rules
> as required.
> >
> > I use this block a laptop due to bad tests scores :)
> >
> >
> >   IP=192.168.1.153
> > #iptables -P FORWARD DROP
> > iptables -I FORWARD -s 0/0 -d ${IP} -j DROP
> > iptables -I FORWARD -s ${IP} -d 0/0 -j DROP
> > # Squid
> > iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3128 -s ${IP}/32 -j
> REJECT
> > iptables -A INPUT -i eth0 -p udp -m udp --dport 3128 -s ${IP}/32 -j
> REJECT
> >
> > First two stops routing.  Second blocks squid access.
> >
> > Normally I'll just do an iptables-restore, but I'm fail2ban
> andminiupnpd.  The
> > restore blows away their rules.
> >
> > Do I create a custom chain for INPUT and FORWARD and simply delete rules
> in
> > that?  Using MQTT this will become push button and the wife will simply
> push a
> > button on and then off.
> >
> >
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (music)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160826/16b91f3f/attachment.html>


More information about the Ale mailing list