Last active
August 29, 2015 14:06
-
-
Save SoledaD208/aa12cb296c7ab0bb1d34 to your computer and use it in GitHub Desktop.
a tiny python script to get national IPs, then config iptables to permit all these IPs and block all the foreign traffic (for CentOS)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sciprt's written by SoledaD208, email: not.soledad@gmail.com | |
| # script get national IP from http://www.ipaddresslocation.org, permit all these IP with minimum policy (enable ssh only) | |
| # block all the foreign traffic | |
| # script create 2 new chains in Iptables: VIETNAM-INPUT and NOT-VIETNAM-INPUT: | |
| # accept just ssh protocol in VIETNAM-INPUT chain | |
| # all these foreign traffic jump to NOT-VIETNAM-INPUT chain and block by default | |
| # if have internal networks, you should create more chain for these networks, or add smt like this to iptables config file: | |
| # -A INPUT -i internallIf -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| import re | |
| import shutil | |
| import requests | |
| # Create payload to get IP | |
| payload = {'country': 'VN', 'prefix': '', 'output': 'cidr'} | |
| # Send request to http://www.ipaddresslocation.org | |
| r = requests.post('http://www.ipaddresslocation.org/ip_ranges/get_ranges.php', data=payload) | |
| confIpt = raw_input("config iptbles? ") | |
| if confIpt == 'y' or confIpt == 'Y' or confIpt == 'Yes' or confIpt == 'YES': | |
| # backup config file | |
| shutil.copyfile('/etc/sysconfig/iptables', '/etc/sysconfig/iptables.bak') | |
| print 'current iptables config file is backuped to iptables.bak' | |
| while True: | |
| sshInput = raw_input("Which's ssh port? ") | |
| try: | |
| ssh = int(sshInput) | |
| except ValueError: | |
| print("That's not an int!") | |
| continue | |
| else: | |
| break | |
| tempF = open('iptablesv5','r') | |
| tempRules = tempF.readlines() | |
| tempF.close() | |
| for i in re.findall(''' (.+)<br />''', r._content, re.I): | |
| tempRules.insert(8,'-A INPUT -s ' + i + ' -j VIETNAM-INPUT\n') | |
| tempRules.insert(8,'-A FORWARD -s ' + i + ' -j VIETNAM-INPUT\n') | |
| ipt = file('/etc/sysconfig/iptables', 'wt') | |
| rules = "".join(tempRules) | |
| rules = rules.replace('--dport 22', '--dport ' + sshInput) | |
| ipt.write(rules) | |
| ipt.close() | |
| else: | |
| exit() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *filter | |
| :INPUT ACCEPT [0:0] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :VIETNAM-INPUT - [0:0] | |
| :NOT-VIETNAM-INPUT - [0:0] | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| -A VIETNAM-INPUT -p icmp --icmp-type any -j ACCEPT | |
| -A VIETNAM-INPUT -p tcp --dport 22 -j ACCEPT | |
| -A VIETNAM-INPUT -j REJECT --reject-with icmp-host-prohibited | |
| -A INPUT -j NOT-VIETNAM-INPUT | |
| -A FORWARD -j NOT-VIETNAM-INPUT | |
| -A NOT-VIETNAM-INPUT -j DROP | |
| COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment