How to Block Blacklist in IPTables

  • by
How to Maintain Blacklist for IPTables Automatically
In general, we seldom block each of a bunch of IP addresses one by one with bare hands in IPTables. A more reasonable practice is to maintain a IP blacklist file and use a shell script to feed the file into IPTables automatically, and better, periodically.

Your blacklist should be formed by different sources. For more information on reliable sources of blacklist and automatic maintenance, you may refer to my post: How to Maintain Blacklist for IPTables Automatically

In this post, there’re three major steps to batch block all IP addresses in a blacklist with IPTables:
  1. Create a new chain in IPTables for blacklist.
  2. Maintain an IP blacklist file.
  3. Create an executable script to feed the blacklist into IPTables.
1. Create a new chain in IPTables
  • Create a new chain called BLACKLIST
  • [root@test ~]# iptables -N BLACKLIST
  • Insert the chain at the top (first) position of the default chain INPUT
  • [root@test ~]# iptables -I INPUT 1 -j BLACKLIST
  • See the content of the chain BLACKLIST
  • It’s empty as expected.
    [root@test ~]# iptables -L BLACKLIST
    Chain BLACKLIST (1 references)
    target     prot opt source               destination

  • Try to add a banned IP into the chain.
  • [root@test ~]# iptables -A BLACKLIST -s 37.59.41.169/32 -j DROP
  • See the content of the chain BLACKLIST in numeric form
  • The IP has been added
    [root@test ~]# iptables -L BLACKLIST -n
    Chain BLACKLIST (1 references)
    target     prot opt source               destination
    DROP       all  --  37.59.41.169         0.0.0.0/0

  • See the content of the chain BLACKLIST in literal form
  • [root@test ~]# iptables -L BLACKLIST
    Chain BLACKLIST (1 references)
    target     prot opt source               destination
    DROP       all  --  ks3002108.kimsufi.com  anywhere

  • If you don’t want the new rules in chain BLACKLIST, you can flush all rules out
  • [root@test ~]# iptables -F BLACKLIST
  • If you wan to keep the new chain and rules, you can persist it into IPTables
  • [root@test ~]# iptables-save | tee /etc/sysconfig/iptables
    # Generated by iptables-save v1.4.7 on Tue Jun 24 19:18:25 2014
    *filter
    ...
    :BLACKLIST - [0:0]
    -A INPUT -j BLACKLIST
    ...

2. Maintain an IP blacklist file
3. Create an executable script
  • Compose a script file called /path/to/add_blocked_ip.sh
  • [root@test ~]# vi /path/to/add_blocked_ip.sh
    #!/bin/bash

    # Set all variables for your own needs
    BASE=/sbin/iptables
    IPLT=/path/to/blacklist
    CONF=/etc/sysconfig/iptables

    # Empty the chain BLACKLIST before adding rules
    $BASE -F BLACKLIST

    # Read $IPLT and add IP into IPTables one by one
    /bin/egrep -v "^#|^$|:" $IPLT | sort | uniq | while read IP
    do
        $BASE -A BLACKLIST -s $IP -j DROP
    done

    # Save current configuration to file
    $BASE-save > $CONF

  • Don’t forget to make it executable
  • [root@test ~]# chmod u+x /path/to/add_blocked_ip.sh
  • Execute the script file
  • [root@test ~]# /path/to/add_blocked_ip.sh
  • Let’s see the current configuration
  • [root@test ~]# iptables -L BLACKLIST -n
    Chain BLACKLIST (1 references)
    target     prot opt source               destination
    DROP       all  --  37.59.41.169         0.0.0.0/0
    DROP       all  --  203.0.113.0/24       0.0.0.0/0
    DROP       all  --  10.123.123.123       0.0.0.0/0

Furthermore, you can schedule a job for this script in the crontab for updating the newest blacklist into IPTables periodically.

Leave a Reply

Your email address will not be published. Required fields are marked *