[ale] Easy way to add and delete iptables rules

Lightner, Jeffrey JLightner at dsservices.com
Fri Aug 26 08:58:02 EDT 2016 

Also the iptables-restore suggests you're editing your iptables file then using the restore to update memory.

Instead you can use "iptables -I" to insert rules in your iptables in memory then use iptables-save to save to the file so you get the new rules on next restore.

You can use "iptables -nL --line-numbers" to see existing rules and the lines they're on then specify the line number you wish to insert into with the -I flag.


-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Alex Carver
Sent: Thursday, August 25, 2016 11:49 PM
To: ale at ale.org
Subject: Re: [ale] Easy way to add and delete iptables rules

I would actually do something entirely different and use ipsets and the PREROUTING chain.

Set up a new chain:

iptables -N bad_test_scores
iptables -A bad_test_scores -m set --match-set badtestscores src -j LOG --log-prefix="bad test score:"
iptables -A bad_test_scores -m set --match-set badtestscores src -j REJECT iptables -A PREROUTING -j bad_test_scores

The PREROUTING chain is ahead of the decision point to traverse FORWARD or INPUT.  It will catch that IP so you don't need an additional squid entry.



Then separately use ipset to add your IPs:

ipset add badtestscores ${IP}

or remove them:

ipset del badtestscores ${IP}


This part you can script with MQTT or similar and you won't have to touch iptables after the above setup.  Just remember to properly sanitize your input.

On 2016-08-25 18:48, Chris Fowler wrote:
> I'm trying to figure out the best way to add and remove iptables rules as required.
> 
> I use this block a laptop due to bad tests scores :)
> 
> 
>   IP=192.168.1.153
> #iptables -P FORWARD DROP
> iptables -I FORWARD -s 0/0 -d ${IP} -j DROP iptables -I FORWARD -s 
> ${IP} -d 0/0 -j DROP # Squid iptables -A INPUT -i eth0 -p tcp -m tcp 
> --dport 3128 -s ${IP}/32 -j REJECT iptables -A INPUT -i eth0 -p udp -m 
> udp --dport 3128 -s ${IP}/32 -j REJECT
> 
> First two stops routing.  Second blocks squid access.
> 
> Normally I'll just do an iptables-restore, but I'm fail2ban 
> andminiupnpd.  The restore blows away their rules.
> 
> Do I create a custom chain for INPUT and FORWARD and simply delete 
> rules in that?  Using MQTT this will become push button and the wife 
> will simply push a button on and then off.
> 
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at 
> http://mail.ale.org/mailman/listinfo
> 

_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list