The stuff in my last post just felt wrong, so wrong I couldn’t get to sleep last night. I figured out I didn’t like having all the duplicated rules, it seems like bad form to have two rules for each IP you want to blacklist. So I revised it:
root@machine:~# iptables -N BLACKLIST
root@machine:~# iptables -A BLACKLIST -s 0/0 -j LOG \
--log-prefix "Traffic from blacklisted IP: "
root@machine:~# iptables -A BLACKLIST -s 0/0 -j DROP
The change is the BLACKLIST chain simply logs and drops *all* traffic sent to it. Now we modify the blacklist_ip.sh like so:
#!/bin/bash
IP="$1"
echo "Blacklisting $IP."
iptables -A INPUT --src $IP -j BLACKLIST
echo "`date`: $IP" >> /var/log/blacklisted_ips
I believe this to be a simpler, cleaner, and more managable way of blacklisting IPs.
Update: make sure you remove the -A INPUT -J BLACKLIST rule!!!
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.