[ale] Easy way to add and delete iptables rules

Alex Carver agcarver+ale at acarver.net
Mon Aug 29 14:42:58 EDT 2016


Just remember to create an ipset table first before attempting to add
the iptables rule or it will bomb (see one of my later emails).

When your system restores them at boot, it has to do the same, restore
ipset first then iptables.


On 2016-08-26 06:18, James Sumners wrote:
> This is great. I had no idea `ipset` exists. And it looks like it has been 
> backported to RHEL 6; I see some firewall re-writing in my future.
> 
> On Thu, Aug 25, 2016 at 11:48 PM, Alex Carver <agcarver+ale at acarver.net 
> <mailto:agcarver+ale at acarver.net>> wrote:
> 
>     I would actually do something entirely different and use ipsets and the
>     PREROUTING chain.
> 
>     Set up a new chain:
> 
>     iptables -N bad_test_scores
>     iptables -A bad_test_scores -m set --match-set badtestscores src -j LOG
>     --log-prefix="bad test score:"
>     iptables -A bad_test_scores -m set --match-set badtestscores src -j REJECT
>     iptables -A PREROUTING -j bad_test_scores
> 
>     The PREROUTING chain is ahead of the decision point to traverse FORWARD
>     or INPUT.  It will catch that IP so you don't need an additional squid
>     entry.
> 
> 
> 
>     Then separately use ipset to add your IPs:
> 
>     ipset add badtestscores ${IP}
> 
>     or remove them:
> 
>     ipset del badtestscores ${IP}
> 
> 
>     This part you can script with MQTT or similar and you won't have to
>     touch iptables after the above setup.  Just remember to properly
>     sanitize your input.
> 
>     On 2016-08-25 18:48, Chris Fowler wrote:
>      > I'm trying to figure out the best way to add and remove iptables rules as
>     required.
>      >
>      > I use this block a laptop due to bad tests scores :)
>      >
>      >
>      >   IP=192.168.1.153
>      > #iptables -P FORWARD DROP
>      > iptables -I FORWARD -s 0/0 -d ${IP} -j DROP
>      > iptables -I FORWARD -s ${IP} -d 0/0 -j DROP
>      > # Squid
>      > iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3128 -s ${IP}/32 -j REJECT
>      > iptables -A INPUT -i eth0 -p udp -m udp --dport 3128 -s ${IP}/32 -j REJECT
>      >
>      > First two stops routing.  Second blocks squid access.
>      >
>      > Normally I'll just do an iptables-restore, but I'm fail2ban
>     andminiupnpd.  The
>      > restore blows away their rules.
>      >
>      > Do I create a custom chain for INPUT and FORWARD and simply delete rules in
>      > that?  Using MQTT this will become push button and the wife will simply
>     push a
>      > button on and then off.
>      >
>      >
>      >



More information about the Ale mailing list