Created
September 14, 2014 11:16
-
-
Save alain75007/f98aea45709648e7f482 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Simple iptables IP/subnet block script | |
| # Based on works by "nixCraft project" : http://bash.cyberciti.biz/firewall/iptables-block-ip-address/ | |
| # ------------------------------------------------------------------------- | |
| # Copyright (c) 2014 Alain Beauvoi <http://questioncode.fr/> | |
| # This script is licensed under GNU GPL version 2.0 or above | |
| # ------------------------------------------------------------------------- | |
| # This script is part of questioncode.fr project | |
| # Visit http://questioncode.fr/ for more information. | |
| # ---------------------------------------------------------------------- | |
| IPT=/sbin/iptables | |
| IPTS=/sbin/iptables-save | |
| SPAMLIST="spamlist" | |
| LISTDIR="/root/iptables" | |
| FILE="$LISTDIR/$SPAMLIST" | |
| usage() | |
| { | |
| cat << EOF | |
| usage: $0 -[a|f|h|l] spamlist | |
| This script use iptables to block or unblock ip address (eg. 189.120.64.25) or range or ip address range (eg. 189.120.64.0/24) | |
| ip address or ip address range must be specified in a file | |
| FILE: Optional spamlist file in $LISTDIR default: spamlist | |
| OPTIONS: | |
| -h Show this message | |
| -a block all ip addresses or ip ranges in spamlist file | |
| -f unblock all ip addresses or ip ranges in spamlist file | |
| -l list iptables spamlist current configuration | |
| EOF | |
| exit | |
| NOTES | |
| 1. iptable rules are save permanently | |
| 2. On Ubuntu or DEBIAN install iptables-persistent \(apt-get install iptables-persistant\) to allow permanent iptable rules. | |
| 3. On RELH or CENTOS service called "iptables" must be enabled | |
| } | |
| chain_exists() | |
| { | |
| $IPT -L $1 -n >/dev/null 2>&1 | |
| } | |
| containsElement () { | |
| local e | |
| for e in "${@:2}"; do [[ "x$e" == "x$1" ]] && return 0; done | |
| return 1 | |
| } | |
| save_chain() | |
| { | |
| if [ -f '/etc/iptables/rules.v4' ] ; then | |
| # Debian or Ubuntu | |
| $IPTS > /etc/iptables/rules.v4 | |
| elif [ -f '/etc/sysconfig/iptables' ] ; then | |
| $IPTS > /etc/sysconfig/iptables | |
| fi | |
| } | |
| flush_chain() | |
| { | |
| # flush spamlist | |
| local e | |
| chain_exists && $IPT --flush $SPAMLIST && echo "$SPAMLIST Flushed" && save_chain && return 0 | |
| return 1 | |
| } | |
| if [ $# -eq 0 ] ; then echo "Missing parameter" ; usage ; fi | |
| if [ $# -gt 2 ] ; then echo "Invalid or incompatible parameters" ; usage ; fi | |
| argArray=('-f' '--flush' '-a' '--add' '-h' '--help' '-l' '--list') | |
| containsElement "$1" "${argArray[@]}" || (echo "Wrong argument" ; usage ) | |
| if [ "$1" == '-h' ] || [ "$1" == '--help' ] ; then usage ; fi | |
| if [ "$1" == '-l' ] || [ "$1" == '--list' ] ; then $IPT -L $SPAMLIST -n -v ; exit; fi | |
| if [ $1 == '-a' ] || [ $1 == '--add' ] ; then | |
| [ $# -eq 2 ] && FILE=$2 | |
| if [ ! -f "$FILE" ] ; then echo "$FILE doesn't exist" ; exit ; fi | |
| BADIPS=$(egrep -v -E "^#|^$" $FILE) | |
| SPAMDROPMSG="SPAM LIST DROP" | |
| # create a new iptables list if none | |
| if [ ! chain_exists ] ; then | |
| echo "Create chain $SPAMLIST" | |
| $IPT -N $SPAMLIST | |
| else | |
| flush_chain | |
| fi | |
| for ipblock in $BADIPS ; do | |
| $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG" | |
| $IPT -A $SPAMLIST -s $ipblock -j DROP | |
| done | |
| $IPT -I INPUT -j $SPAMLIST | |
| $IPT -I OUTPUT -j $SPAMLIST | |
| $IPT -I FORWARD -j $SPAMLIST | |
| echo "SPAMFILE is $FILE" | |
| echo "chain list $SPAMLIST updated" | |
| elif [ "$1" == '-f' ] || [ "$1" == '--flush' ] ; then flush_chain ; fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment