[ale] Easy way to add and delete iptables rules

Alex Carver agcarver+ale at acarver.net
Thu Aug 25 23:48:44 EDT 2016


I would actually do something entirely different and use ipsets and the
PREROUTING chain.

Set up a new chain:

iptables -N bad_test_scores
iptables -A bad_test_scores -m set --match-set badtestscores src -j LOG
--log-prefix="bad test score:"
iptables -A bad_test_scores -m set --match-set badtestscores src -j REJECT
iptables -A PREROUTING -j bad_test_scores

The PREROUTING chain is ahead of the decision point to traverse FORWARD
or INPUT.  It will catch that IP so you don't need an additional squid
entry.



Then separately use ipset to add your IPs:

ipset add badtestscores ${IP}

or remove them:

ipset del badtestscores ${IP}


This part you can script with MQTT or similar and you won't have to
touch iptables after the above setup.  Just remember to properly
sanitize your input.

On 2016-08-25 18:48, Chris Fowler wrote:
> I'm trying to figure out the best way to add and remove iptables rules as required.
> 
> I use this block a laptop due to bad tests scores :)
> 
> 
>   IP=192.168.1.153
> #iptables -P FORWARD DROP
> iptables -I FORWARD -s 0/0 -d ${IP} -j DROP
> iptables -I FORWARD -s ${IP} -d 0/0 -j DROP
> # Squid
> iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3128 -s ${IP}/32 -j REJECT
> iptables -A INPUT -i eth0 -p udp -m udp --dport 3128 -s ${IP}/32 -j REJECT
> 
> First two stops routing.  Second blocks squid access.
> 
> Normally I'll just do an iptables-restore, but I'm fail2ban andminiupnpd.  The 
> restore blows away their rules.
> 
> Do I create a custom chain for INPUT and FORWARD and simply delete rules in 
> that?  Using MQTT this will become push button and the wife will simply push a 
> button on and then off.
> 
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 



More information about the Ale mailing list