1

Suppose I have a list of thousands of ip addresses to block. Right now I know how to iterate through the list and for each one run:

iptables -A INPUT -s XX.XX.XX.XX -j DROP

But this means I will have to run thousands of processes!

How can I do this more efficiently?

Sean Letendre
  • 113
  • 4
  • Thousands of... _processes?_ What do you mean "processes"? Creating a list of firewall rules, saving the file, and then loading it on one or many hosts is how you do this. – Wesley Aug 10 '20 at 17:17
  • I mean that I ask my shell to run the program `/usr/sbin/iptables` once for each address. – Sean Letendre Aug 10 '20 at 17:27
  • Can you direct me to a man page which describes the syntax of this list of firewall rules and how to load it on a host? – Sean Letendre Aug 10 '20 at 17:28
  • You may use "iptables-restore" but it will need all the rules in one shot, even the others chains – Dom Aug 10 '20 at 17:42
  • 2
    You just use `iptables-save` and pipe to a file, then `iptables-restore`. – Wesley Aug 10 '20 at 17:44

1 Answers1

6

You're doing what you should be doing. Create the rules, save the rules, then load the rules on each host that should have them. A possible refinement when using iptables for large lists of rules would be IP Sets.

Wesley
  • 32,690
  • 9
  • 82
  • 117
  • ipsets are a good use for this. They are very efficient, and once your iptables/ip6tables rules have been configured to reference them, you no longer need to play around with iptables rules. You can add/remove addresses from the referenced ipset on-the-fly very easily without having to reload anything. – guzzijason Aug 10 '20 at 20:41
  • Does this happen to be available as a Debian package? – Sean Letendre Aug 12 '20 at 19:28
  • @SeanLetendre IP Sets is a kernel module and should be available in basically all distros that use kernal 3.1 or greater. You shouldn't need to install anything. – Wesley Aug 12 '20 at 19:30
  • Thank you. The tool to controls ipsets, "ipset" is needed as a separate Debian package even if the kernel contains the ipsets module. – Sean Letendre Aug 12 '20 at 19:38