Join Log in
Score:0
avatar Ubuntu

IPTABLES Prerouting, mass add

be flag
Kamil Skwirut

maybe someone know how can i mass add like 1 400 000 ip's to iptables with command:

iptables -I PREROUTING -t raw -d $ipban -j DROP

right now im using:

while read ipban
do
iptables -I PREROUTING -t raw -d $ipban -j DROP
done < ips.txt

But already it took more than 20 hours to add.

My vps is very small like 1gb ram and 1vcpu so its not that fast.

I tried to do iptables restore but i got few errors so im looking for fastest solution.

202
1 + 1
Doug Smythies avatar
gn flag
Doug Smythies
For large groups of IP addresses look into `ipset`.
0
Reply
Score:0
Muhammed Özen avatar Ubuntu
in flag
Muhammed Özen

The script below should do what you need. Note that the name of the file from which you'll read the IPs is ips.txt in the script. You can replace it with your own file name.

#!/bin/bash

ip_addresses=$(cat ips.txt)

echo -n "" > iptables_configuration
echo "*raw" >> iptables_configuration
echo ":PREROUTING ACCEPT [0:0]" >> iptables_configuration
echo ":OUTPUT ACCEPT [0:0]" >> iptables_configuration

for i in $ip_addresses
do
echo -A PREROUTING -d $i/32 -j DROP >> iptables_configuration
done
echo "COMMIT" >> iptables_configuration

echo "*filter" >> iptables_configuration
echo ":INPUT ACCEPT [0:0]" >> iptables_configuration
echo ":FORWARD ACCEPT [0:0]" >> iptables_configuration
echo ":OUTPUT ACCEPT [0:0]" >> iptables_configuration
echo "-A INPUT -p tcp -m tcp --dport 25565 --tcp-option 8 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable" >> iptables_configuration
echo "COMMIT" >> iptables_configuration

cat iptables_configuration | iptables-restore
rm iptables_configuration

iptables -t raw -A PREROUTING -p tcp --dport 25565 -j ACCEPT
iptables -t raw -A PREROUTING -p tcp --dport 25565 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t raw -A PREROUTING -p tcp --dport 25565 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 150 --connlimit-mask 32 --connlimit-saddr -j DROP
iptables -t raw -A PREROUTING -p tcp --dport 25565 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr -j DROP

All you have to do is to execute the script where the ips.txt file is present. The rest will be handled by the script.

0 + 12
be flag
Kamil Skwirut
Problem is that i dont want to block ranges or subnets i Just want to block specified ip's from txt file.
0
Reply
Muhammed Özen avatar
in flag
Muhammed Özen
I understand now. I know the solution to your problem. The problem is every time you're adding a new rule, you're executing the iptables binary again. You have to write a configuration file that contains all the rules and you'll only execute iptables once to add all these rules. I've written a script for you that does what you need but when you apply the script, your existing iptables rules will be gone and the rules for banning the IP addresses in the file will be present only. If you want to include other rules, you have to modify iptables_configuration file to your needs. Check out my post.
0
Reply
be flag
Kamil Skwirut
Sure thing mate, i have rules like this: https://pastebin.com/MW4x9QNa If its possible make it use prerouting its more efficient :D Im very glad you want to help me and write such a big post!
0
Reply
Muhammed Özen avatar
in flag
Muhammed Özen
You're very welcome. But you have some variables in your script that you didn't define like $port and $limit_global_connections_max. If you give me their exact values, only then I can help
0
Reply
be flag
Kamil Skwirut
Sorry, i didint noticed that, here's working version https://pastebin.com/LxJvqF51 If you also know how to make them PREROUTING it would be awesome (it would be more efficient).
0
Reply
be flag
Kamil Skwirut
And can you explain me why theres`/32` in -A PREROUTING -d $i/32 -j DROP ?
0
Reply
Muhammed Özen avatar
in flag
Muhammed Özen
I just edited the post again. Now you don't even have to worry about iptables-restore. All you really have to is to run the script and it'll get everything ready for you. Also I put all the rules in PREROUTING chain except for one because it had invalid options for PREROUTING. As for your second question, /32 signifies only one single IP address in CIDR notation. If you specify any value apart from 32, it'll specify a subnet including more than one IP address. But since we only need to ban individual IP addresses and we don't want to block a subnet or a range of IPs, we need /32 here.
0
Reply
be flag
Kamil Skwirut
Thanks for help! I did everything like you said and its working!
0
Reply
Muhammed Özen avatar
in flag
Muhammed Özen
You're welcome mate. I'm glad that I could be of help :)
0
Reply
be flag
Kamil Skwirut
The problem i found right now is that when i applied everything my internet speed goes to 5Mb/s from 1gbs
0
Reply
Muhammed Özen avatar
in flag
Muhammed Özen
I believe the reason for that is you have many rules. As you said you had so many rules that it was taking a lot of time to register them all in the firewall. Whenever a network packet hits your computer, kernel compares it with every single rule in the firewall. And if it gets a pass from all of these rules, then you get your connection in local TCP/UDP stack. The more rules you have in your firewall, the slower the connection is going to be. You have to keep the balance right between security and network speed
1
Reply
be flag
Kamil Skwirut
Yeah, i asked my host for help and they said will block those ip's anyways. Thank you for help !
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.