Thanks to you and the others who replied (especially Deron), you have given me something to think about here. Rob On Tue, 2005-01-25 at 18:29, Banjo Mailing List wrote: > Or use portsentry. if you need any help how to do it tell me > > > On Tue, 25 Jan 2005 12:56:15 -0500, Deron Meranda > <deron.meranda@xxxxxxxxx> wrote: > > > I'm thinking of setting up a rule in Iptables to point to a > > > file which I can easily add the IP addresses that I need > > > to block. Is this possible and what would be the syntax? > > > > If you really want to set up something so you can block a large number > > of IP addresses and you have the patience to keep up, yes you could > > set up some simple scripts to help you automate the iptables config. > > > > Note though that you'll probably want to structure iptables with several > > chains to help reduce the inefficiency caused by a large number of > > rules. For example, you might want a separate chain for each of the > > possible 256 first-octets. This should get you started and give you some > > ideas (it can be improved upon too). > > > > iptables -N web_block_1 > > iptables -N web_block_2 > > ... > > iptables -N web_block_255 > > > > Then create a chain just to dispatch these (so non-web traffic > > doesn't have to go through all these rule checks), > > > > iptables -N web_block > > > > Then link it into your input chain too, > > > > iptables -I INPUT -i eth0 -m tcp -p tcp --dport 80 -j web_block > > iptables -I INPUT -i eth0 -m tcp -p tcp --dport 443 -j web_block > > > > Finally in your web_block chain dispatch for each octect, > > > > iptables -A web_block -s 1.0.0.0/8 -j web_block_1 > > iptables -A web_block -s 2.0.0.0/8 -j web_block_2 > > ... > > iptables -A web_block -s 255.0.0.0/8 -j web_block_255 > > > > Then you'd add specific IP addresses (or netblocks), as > > > > iptables -A block_192 -s 192.168.1.1 -j REJECT > > > > Also if your script updates, be sure to also run iptables_save > > so your entries survive reboot. > > > > Keep in mind though that iptables blocking is the *harsh* > > way to do this. Less drastic would be to 1. ignore the logs, > > 2. reduce the logging level, 3. look at Apache's Deny > > directive. > > -- > > Deron Meranda > > > > -- > > fedora-list mailing list > > fedora-list@xxxxxxxxxx > > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list > >
