How to Block Blacklist in IPTables

How to Maintain Blacklist for IPTables Automatically

In general, we seldom block each of a bunch of IP addresses one by one with bare hands in IPTables. A more reasonable practice is to maintain a IP blacklist file and use a shell script to feed the file into IPTables automatically, and better, periodically.

Your blacklist should be formed by different sources. For more information on reliable sources of blacklist and automatic maintenance, you may refer to my post: How to Maintain Blacklist for IPTables Automatically

In this post, there're three major steps to batch block all IP addresses in a blacklist with IPTables:

1. Create a new chain in IPTables for blacklist.
2. Maintain an IP blacklist file.
3. Create an executable script to feed the blacklist into IPTables.

1. Create a new chain in IPTables

• Create a new chain called BLACKLIST
[root@test ~]# iptables -N BLACKLIST

• Insert the chain at the top (first) position of the default chain INPUT
[root@test ~]# iptables -I INPUT 1 -j BLACKLIST

• See the content of the chain BLACKLIST
It's empty as expected.
[root@test ~]# iptables -L BLACKLIST
Chain BLACKLIST (1 references)
target     prot opt source               destination

• Try to add a banned IP into the chain.
[root@test ~]# iptables -A BLACKLIST -s 37.59.41.169/32 -j DROP

• See the content of the chain BLACKLIST in numeric form
The IP has been added
[root@test ~]# iptables -L BLACKLIST -n
Chain BLACKLIST (1 references)
target     prot opt source               destination
DROP       all  --  37.59.41.169         0.0.0.0/0

• See the content of the chain BLACKLIST in literal form
[root@test ~]# iptables -L BLACKLIST
Chain BLACKLIST (1 references)
target     prot opt source               destination
DROP       all  --  ks3002108.kimsufi.com  anywhere

• If you don't want the new rules in chain BLACKLIST, you can flush all rules out
[root@test ~]# iptables -F BLACKLIST

• If you wan to keep the new chain and rules, you can persist it into IPTables
[root@test ~]# iptables-save | tee /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Jun 24 19:18:25 2014
*filter
...
:BLACKLIST - [0:0]
-A INPUT -j BLACKLIST
...

2. Maintain an IP blacklist file

• Create and maintain an IP blacklist file like this:
[root@test ~]# cat /path/to/blacklist
# Listed in CBL
37.59.41.169

# Malicious Visitors
203.0.113.0/24
10.123.123.123
You can have comment lines or blank lines to divide several kinds of IP. The format of IP addresses must follows Classless Inter-Domain Routing (CIDR).

A better practice to maintain the blacklist automatically can be found at:
How to Maintain Blacklist for IPTables Automatically

3. Create an executable script

• Compose a script file called /path/to/add_blocked_ip.sh
[root@test ~]# vi /path/to/add_blocked_ip.sh
#!/bin/bash

# Set all variables for your own needs
BASE=/sbin/iptables
IPLT=/path/to/blacklist
CONF=/etc/sysconfig/iptables

# Empty the chain BLACKLIST before adding rules
$BASE -F BLACKLIST

# Read $IPLT and add IP into IPTables one by one
/bin/egrep -v "^#|^$|:" $IPLT | sort | uniq | while read IP
do
    $BASE -A BLACKLIST -s $IP -j DROP
done

# Save current configuration to file
$BASE-save > $CONF

• Don't forget to make it executable
[root@test ~]# chmod u+x /path/to/add_blocked_ip.sh

• Execute the script file
[root@test ~]# /path/to/add_blocked_ip.sh

• Let's see the current configuration
[root@test ~]# iptables -L BLACKLIST -n
Chain BLACKLIST (1 references)
target     prot opt source               destination
DROP       all  --  37.59.41.169         0.0.0.0/0
DROP       all  --  203.0.113.0/24       0.0.0.0/0
DROP       all  --  10.123.123.123       0.0.0.0/0

Furthermore, you can schedule a job for this script in the crontab for updating the newest blacklist into IPTables periodically.