IPTables provides you a way to make your own chains. A chain in iptables is a section of rules that iptables will run through whenever you specify. The main chain for input is the INPUT chain. I recently needed to start blacklisting ip addresses trying to attack us and it was necessary to create a new chain where I could store those ip’s instead of throwing them on the default INPUT chain which would be messy and stupid. So instead, I created my new chain, told the INPUT chain to run through it before doing anything else, and then added the ip’s I wanted blacklisted to it. Here’s what my iptables file looks like:
*filter :INPUT DROP [1871:61412] :FORWARD DROP [0:0] :OUTPUT ACCEPT [43699803:116552495504] #Here we define our blacklist chain and tell iptables to run through those rules first then continue -N BLACKLIST # Make our chain -A INPUT -j BLACKLIST # enable our chain #regular ruleset -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ...... (cut here)
Now we can add to the blacklist table at will using our commands or we can just put entries in our iptables file. Its totally up to you. I will show how to do this via the command line since I intend to make some scripts to do this automagically if someone is requesting administrative panels on our web server or trying to port scan us etc..
# iptables -A BLACKLIST -s 126.96.36.199/32 -j DROP # To add an entry # iptables -D BLACKLIST -s 188.8.131.52/32 -j DROP # To remove and entry
You can of course do a whole network if you’d like. Here I specified a single host.
More to come on the cool stuff I can do when we involve a little scripting with this!