Iptables

Aus Carl-Christian Sautter - Wiki
Wechseln zu: Navigation, Suche

Blacklist automatisch aus Spam Mails generieren

Datei /etc/iptables/generate-blacklist-from-mail.sh

#!/bin/bash

rm /etc/iptables/iptables-block.tmp
rm /etc/iptables/iptables-block.list_backup
cp /etc/iptables/iptables-block.list /etc/iptables/iptables-block.list_backup

grep -roEh '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' /var/vmail/domain.de/mail/Maildir/.for_blacklist/cur/* | sort | uniq | grep -vE '127.0.0.1|1.2.3.4' >> /etc/iptables/iptables-block.tmp

cat /etc/iptables/iptables-block.list >> /etc/iptables/iptables-block.tmp
rm /etc/iptables/iptables-block.list
cat /etc/iptables/iptables-block.tmp | sort | uniq > /etc/iptables/iptables-block.list

/etc/iptables/load-iptables-blacklist.sh

Datei /etc/iptables/load-iptables-blacklist.sh

#!/bin/bash
# Simple iptables IP/subnet block script
# -------------------------------------------------------------------------
# Copyright (c) 2004 nixCraft project
# This script is licensed under GNU GPL version 2.0 or above
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# ----------------------------------------------------------------------
IPT=/sbin/iptables
SPAMLIST="spamlist"
SPAMDROPMSG="SPAM LIST DROP"
BADIPS=$(egrep -v -E "^#|^$" /etc/iptables/iptables-block.list)

# delete old blacklist rules
$IPT -D INPUT -j $SPAMLIST
$IPT -D OUTPUT -j $SPAMLIST
$IPT -D FORWARD -j $SPAMLIST
$IPT -F $SPAMLIST
$IPT -X $SPAMLIST

# create a new iptables list
$IPT -N $SPAMLIST
for ipblock in $BADIPS
do
   $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
   $IPT -A $SPAMLIST -s $ipblock -j DROP
done
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST

Zu /etc/network/interfaces hinzufügen

post-up /etc/iptables/load-iptables-blacklist.sh

Links

Einen Port mit IP Tables nur für bestimmte IPs freigeben

# tcp
iptables -A INPUT -p tcp --dport 111 -s 1.2.3.4 -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -s localhost -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -j DROP
# udp
iptables -A INPUT -p udp --dport 111 -s 1.2.3.4 -j ACCEPT
iptables -A INPUT -p udp --dport 111 -s localhost -j ACCEPT
iptables -A INPUT -p udp --dport 111 -j DROP

# ipv6
#tcp6
ip6tables -A INPUT -p tcp --dport 111 -s 1:2:3:4::2 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 111 -s localhost -j ACCEPT
ip6tables -A INPUT -p tcp --dport 111 -j DROP
# udp6
ip6tables -A INPUT -p udp --dport 111 -s 1:2:3:4::2 -j ACCEPT
ip6tables -A INPUT -p udp --dport 111 -s localhost -j ACCEPT
ip6tables -A INPUT -p udp --dport 111 -j DROP

Alles außer bestimmte Ports sperren

iptables -A INPUT -i eth0 -s 1.2.3.4 -j ACCEPT # Freigabe für IP
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT # Port generell freischalten
iptables -P INPUT DROP # Policy Drop

Iptables dauerhaft Speichern

apt-get install iptables-persistent

Debian/Ubuntu:

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6