> I'm thinking of setting up a rule in Iptables to point to a > file which I can easily add the IP addresses that I need > to block. Is this possible and what would be the syntax? If you really want to set up something so you can block a large number of IP addresses and you have the patience to keep up, yes you could set up some simple scripts to help you automate the iptables config. Note though that you'll probably want to structure iptables with several chains to help reduce the inefficiency caused by a large number of rules. For example, you might want a separate chain for each of the possible 256 first-octets. This should get you started and give you some ideas (it can be improved upon too). iptables -N web_block_1 iptables -N web_block_2 ... iptables -N web_block_255 Then create a chain just to dispatch these (so non-web traffic doesn't have to go through all these rule checks), iptables -N web_block Then link it into your input chain too, iptables -I INPUT -i eth0 -m tcp -p tcp --dport 80 -j web_block iptables -I INPUT -i eth0 -m tcp -p tcp --dport 443 -j web_block Finally in your web_block chain dispatch for each octect, iptables -A web_block -s 1.0.0.0/8 -j web_block_1 iptables -A web_block -s 2.0.0.0/8 -j web_block_2 ... iptables -A web_block -s 255.0.0.0/8 -j web_block_255 Then you'd add specific IP addresses (or netblocks), as iptables -A block_192 -s 192.168.1.1 -j REJECT Also if your script updates, be sure to also run iptables_save so your entries survive reboot. Keep in mind though that iptables blocking is the *harsh* way to do this. Less drastic would be to 1. ignore the logs, 2. reduce the logging level, 3. look at Apache's Deny directive. -- Deron Meranda
