iptables: introduce new ruleset

[putter1900]

Hi everyone,
New to the site and these forums. I'm hoping someone can point me in the right direction to solve a peculiar problem.

I've created a file containing rules in the following format

Code:

-A INPUT -s 10.1.43.206 -m comment --comment "Not a real IP but good enough for now" -j DROP

in all respects it's identical to the existing /etc/sysconfig/iptables file, with one notable exception. There are no headers. Meaning all this stuff:

Code:

# Generated by iptables-save v1.4.7 on Wed Apr 18 10:56:52 2012
*nat
:PREROUTING ACCEPT [4481035:226183146]
:POSTROUTING ACCEPT [18466:2329570]
:OUTPUT ACCEPT [18466:2329570]
COMMIT
# Completed on Wed Apr 18 10:56:52 2012
# Generated by iptables-save v1.4.7 on Wed Apr 18 10:56:52 2012
*mangle
:PREROUTING ACCEPT [6434929:498306171]
:INPUT ACCEPT [2019217:278209404]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1199011:800960622]
:POSTROUTING ACCEPT [1199011:800960622]
COMMIT
# Completed on Wed Apr 18 10:56:52 2012
# Generated by iptables-save v1.4.7 on Wed Apr 18 10:56:52 2012
*filter
:INPUT ACCEPT [24:1600]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13:1156]

There's obviously some programmatic significance to this (for example)
:INPUT ACCEPT [2019217:278209404].

I renamed the "new-rules" file to iptables, copied it over to /etc/sysconfig, stopped and attempted to restart iptables. Predictably it didn't work. I'm realizing I chose a decidedly suboptimal way to go about it...but other alternatives I haven't found.

Thus; How can I "en masse" import the new file?

Regards & TIA for any pointers & guidance.

putter

[dayid]

Checkout:
iptables-save > currentruleset
iptables-restore < newruleset

(Also worth a look while this is the topic is iptables-apply).

[putter1900]

Checkout:
iptables-save > currentruleset
iptables-restore < newruleset

(Also worth a look while this is the topic is iptables-apply).

Unfortunately (1): iptables-apply is unavailable for CentOS - I SO wish!!
Unfortunately (2): iptables-restore requires a "fully formed" iptables file, complete with headers. If it's in the format I have, it just bombs. I'd import the rules manually, except for the fact that there's around 22,700 of 'em (seriously).

Thanks for jumping in!!

putter

[dayid]

Unfortunately (1): iptables-apply is unavailable for CentOS - I SO wish!!
Unfortunately (2): iptables-restore requires a "fully formed" iptables file, complete with headers. If it's in the format I have, it just bombs. I'd import the rules manually, except for the fact that there's around 22,700 of 'em (seriously).

Thanks for jumping in!!

putter

I'm having trouble understand what you're working with. You wrote an iptables config in the wrong format that is almost 23K lines?

(...) in all respects it's identical to the existing /etc/sysconfig/iptables file (...)

If it's near to that, iptables-save the current ruleset, make modifications in the file you save it as (in the proper format), then use iptables-restore to insert it. I don't understand what you're having a problem with beyond that?

If you need to, import your current rules with like a while-loop or the like just once, then save the ruleset in the proper format with iptables-save, and then just use that in the future.
e.g.,

Code:

iptables -F
while read LINE; do iptables $LINE && echo "Added rule $LINE"; done < unformatted-rules.txt
iptables-save > formatted-rules.txt

Then in the future (on boot, etc) restore the set with iptables-restore.

[putter1900]

I'm having trouble understand what you're working with. You wrote an iptables config in the wrong format that is almost 23K lines?

Well, I grabbed a bunch of Class C's from countryipblocks.net (new arrival, can't post the url) and slammed in prepend/append syntax in vi. All told, around an hour of work.

If it's near to that, iptables-save the current ruleset, make modifications in the file you save it as (in the proper format), then use iptables-restore to insert it. I don't understand what you're having a problem with beyond that?

Since this thread started, I've tried that approach. importing rules like this;

cat newrules >> /etc/sysconfig/iptables -- i.e. appending the new rules to an existing configuration makes iptables barf.

If you need to, import your current rules with like a while-loop or the like just once, then save the ruleset in the proper format with iptables-save, and then just use that in the future.
e.g.,

Code:

iptables -F
while read LINE; do iptables $LINE && echo "Added rule $LINE"; done < unformatted-rules.txt
iptables-save > formatted-rules.txt

Then in the future (on boot, etc) restore the set with iptables-restore.

Actually, that's a great approach...wow, I'm gonna try that. Thanks a lot, just shows you what a fresh set of eyes can do perspective-wise. Thanks for the suggestion!!!

Backatcha in the AM once I've test driven this and (hopefully) stopped iptables barfing.

Thanks!!

Warm regards,

putter

[Lazydog]

RedHat/Fedora/Centos use service iptables <start/stop/restart/save>

[mizzle]

Hello,

You should be able to accomplish this with a simple re-direct. Provided all the lines are formatted correctly.
iptables < myfile

You may want to try this on a test system first, to make sure you don't break something you can't fix.

Update: Never mind, simple redirect didn't work.
Easy solution though. Create and run the following bash script. Exchange 'testfile' without the /path/to/file as necessary.

Code:

#!/bin/bash
exec<testfile
while read line
do
 iptables $line;
done

Probably a way to do this with redirect, but I'm not a guru with redirect

[putter1900]

Hello,

You should be able to accomplish this with a simple re-direct. Provided all the lines are formatted correctly.
iptables < myfile

You may want to try this on a test system first, to make sure you don't break something you can't fix.

Update: Never mind, simple redirect didn't work.
Easy solution though. Create and run the following bash script. Exchange 'testfile' without the /path/to/file as necessary.

Code:

#!/bin/bash
exec<testfile
while read line
do
 iptables $line;
done

Probably a way to do this with redirect, but I'm not a guru with redirect

Thanks for jumping in!

Nope, it won't treat anything to the right of the IP address as part of the command

I took your approach thusly;

Code:

#/bin/bash
exec<iptlist
do iptables -A INPUT -j DROP -s $line;
done

#$line is in the format;
# 10.1.0.0/24 -m comment --comment "China added 20120214"

it throws errors.

now manually enter all that in from a prompt like this;

# iptables -A INPUT -j DROP -s 10.1.0.0/24 -m comment --comment "China added 20120214"
and of course iptables is perfectly happy with the result.

but feed it half the commend as a setup, and the rest in a file, and it barfs.

The thing is, the comments against each IP block are crucial to maintain in the firewall config so that an admin has the slightest hope of knowing what he's banning.

Sure would love to get to the bottom of this!

Regards & thanks so much for the idea and suggestion. Much appreciated.

putter

[Lazydog]

iptables: Read a List of IP Address From File And Block

[mizzle]

The script I wrote above worked for me. I created a test file formatted how you provided the info in the original post (minus comments). You might be able to do with with awk, though that's going to be too much effort for me at the moment, as I'm not a scripting expert .