Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
Hi everyone, New to the site and these forums. I'm hoping someone can point me in the right direction to solve a peculiar problem. I've created a file containing rules ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2012
    Posts
    9

    iptables: introduce new ruleset


    Hi everyone,
    New to the site and these forums. I'm hoping someone can point me in the right direction to solve a peculiar problem.

    I've created a file containing rules in the following format

    Code:
    -A INPUT -s 10.1.43.206 -m comment --comment "Not a real IP but good enough for now" -j DROP
    in all respects it's identical to the existing /etc/sysconfig/iptables file, with one notable exception. There are no headers. Meaning all this stuff:

    Code:
    # Generated by iptables-save v1.4.7 on Wed Apr 18 10:56:52 2012
    *nat
    :PREROUTING ACCEPT [4481035:226183146]
    :POSTROUTING ACCEPT [18466:2329570]
    :OUTPUT ACCEPT [18466:2329570]
    COMMIT
    # Completed on Wed Apr 18 10:56:52 2012
    # Generated by iptables-save v1.4.7 on Wed Apr 18 10:56:52 2012
    *mangle
    :PREROUTING ACCEPT [6434929:498306171]
    :INPUT ACCEPT [2019217:278209404]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [1199011:800960622]
    :POSTROUTING ACCEPT [1199011:800960622]
    COMMIT
    # Completed on Wed Apr 18 10:56:52 2012
    # Generated by iptables-save v1.4.7 on Wed Apr 18 10:56:52 2012
    *filter
    :INPUT ACCEPT [24:1600]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [13:1156]
    There's obviously some programmatic significance to this (for example)
    :INPUT ACCEPT [2019217:278209404].

    I renamed the "new-rules" file to iptables, copied it over to /etc/sysconfig, stopped and attempted to restart iptables. Predictably it didn't work. I'm realizing I chose a decidedly suboptimal way to go about it...but other alternatives I haven't found.

    Thus; How can I "en masse" import the new file?

    Regards & TIA for any pointers & guidance.

    putter

  2. #2
    Just Joined!
    Join Date
    May 2011
    Location
    Central FL
    Posts
    91
    Checkout:
    iptables-save > currentruleset
    iptables-restore < newruleset

    (Also worth a look while this is the topic is iptables-apply).

  3. #3
    Just Joined!
    Join Date
    Apr 2012
    Posts
    9
    Quote Originally Posted by dayid View Post
    Checkout:
    iptables-save > currentruleset
    iptables-restore < newruleset

    (Also worth a look while this is the topic is iptables-apply).
    Unfortunately (1): iptables-apply is unavailable for CentOS - I SO wish!!
    Unfortunately (2): iptables-restore requires a "fully formed" iptables file, complete with headers. If it's in the format I have, it just bombs. I'd import the rules manually, except for the fact that there's around 22,700 of 'em (seriously).

    Thanks for jumping in!!

    putter

  4. #4
    Just Joined!
    Join Date
    May 2011
    Location
    Central FL
    Posts
    91
    Quote Originally Posted by putter1900 View Post
    Unfortunately (1): iptables-apply is unavailable for CentOS - I SO wish!!
    Unfortunately (2): iptables-restore requires a "fully formed" iptables file, complete with headers. If it's in the format I have, it just bombs. I'd import the rules manually, except for the fact that there's around 22,700 of 'em (seriously).

    Thanks for jumping in!!

    putter


    I'm having trouble understand what you're working with. You wrote an iptables config in the wrong format that is almost 23K lines?
    Quote Originally Posted by putter1900
    (...) in all respects it's identical to the existing /etc/sysconfig/iptables file (...)
    If it's near to that, iptables-save the current ruleset, make modifications in the file you save it as (in the proper format), then use iptables-restore to insert it. I don't understand what you're having a problem with beyond that?

    If you need to, import your current rules with like a while-loop or the like just once, then save the ruleset in the proper format with iptables-save, and then just use that in the future.
    e.g.,
    Code:
    iptables -F
    while read LINE; do iptables $LINE && echo "Added rule $LINE"; done < unformatted-rules.txt
    iptables-save > formatted-rules.txt
    Then in the future (on boot, etc) restore the set with iptables-restore.

  5. #5
    Just Joined!
    Join Date
    Apr 2012
    Posts
    9
    Quote Originally Posted by dayid View Post
    I'm having trouble understand what you're working with. You wrote an iptables config in the wrong format that is almost 23K lines?
    Well, I grabbed a bunch of Class C's from countryipblocks.net (new arrival, can't post the url) and slammed in prepend/append syntax in vi. All told, around an hour of work.
    If it's near to that, iptables-save the current ruleset, make modifications in the file you save it as (in the proper format), then use iptables-restore to insert it. I don't understand what you're having a problem with beyond that?
    Since this thread started, I've tried that approach. importing rules like this;

    cat newrules >> /etc/sysconfig/iptables -- i.e. appending the new rules to an existing configuration makes iptables barf.

    If you need to, import your current rules with like a while-loop or the like just once, then save the ruleset in the proper format with iptables-save, and then just use that in the future.
    e.g.,
    Code:
    iptables -F
    while read LINE; do iptables $LINE && echo "Added rule $LINE"; done < unformatted-rules.txt
    iptables-save > formatted-rules.txt
    Then in the future (on boot, etc) restore the set with iptables-restore.
    Actually, that's a great approach...wow, I'm gonna try that. Thanks a lot, just shows you what a fresh set of eyes can do perspective-wise. Thanks for the suggestion!!!

    Backatcha in the AM once I've test driven this and (hopefully) stopped iptables barfing.

    Thanks!!

    Warm regards,

    putter

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    RedHat/Fedora/Centos use service iptables <start/stop/restart/save>

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    896
    Hello,

    You should be able to accomplish this with a simple re-direct. Provided all the lines are formatted correctly.
    iptables < myfile

    You may want to try this on a test system first, to make sure you don't break something you can't fix.

    Update: Never mind, simple redirect didn't work.
    Easy solution though. Create and run the following bash script. Exchange 'testfile' without the /path/to/file as necessary.

    Code:
    #!/bin/bash
    exec<testfile
    while read line
    do
     iptables $line;
    done
    Probably a way to do this with redirect, but I'm not a guru with redirect
    Last edited by mizzle; 04-21-2012 at 09:09 PM.

  8. #8
    Just Joined!
    Join Date
    Apr 2012
    Posts
    9
    Quote Originally Posted by mizzle View Post
    Hello,

    You should be able to accomplish this with a simple re-direct. Provided all the lines are formatted correctly.
    iptables < myfile

    You may want to try this on a test system first, to make sure you don't break something you can't fix.

    Update: Never mind, simple redirect didn't work.
    Easy solution though. Create and run the following bash script. Exchange 'testfile' without the /path/to/file as necessary.

    Code:
    #!/bin/bash
    exec<testfile
    while read line
    do
     iptables $line;
    done
    Probably a way to do this with redirect, but I'm not a guru with redirect
    Thanks for jumping in!

    Nope, it won't treat anything to the right of the IP address as part of the command

    I took your approach thusly;

    Code:
    #/bin/bash
    exec<iptlist
    do iptables -A INPUT -j DROP -s $line;
    done
    
    #$line is in the format;
    # 10.1.0.0/24 -m comment --comment "China added 20120214"
    it throws errors.

    now manually enter all that in from a prompt like this;

    # iptables -A INPUT -j DROP -s 10.1.0.0/24 -m comment --comment "China added 20120214"
    and of course iptables is perfectly happy with the result.

    but feed it half the commend as a setup, and the rest in a file, and it barfs.

    The thing is, the comments against each IP block are crucial to maintain in the firewall config so that an admin has the slightest hope of knowing what he's banning.

    Sure would love to get to the bottom of this!

    Regards & thanks so much for the idea and suggestion. Much appreciated.

    putter

  9. #9
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #10
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    896
    The script I wrote above worked for me. I created a test file formatted how you provided the info in the original post (minus comments). You might be able to do with with awk, though that's going to be too much effort for me at the moment, as I'm not a scripting expert .

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •