Blocking IP-adresses

I’ve decided to move all my blocking activities regarding IP-addresses out of the web- and mailserver-software, and put it straight at the front-door, at router or kernel-level using the famous netfilter-software iptables. Here’s one of my firewall script parts doing that:

SORRYDB=”/path/to/list_with_ip_adresses_to_block”
IPS=$(grep -Ev “^#” $SORRYDB)
for i in $IPS
do
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done

You can copy-paste this inside other iptables scripts you might already be using, like this example, or this one, just be sure it’s somewhere early enough in the rest of your firewalling (above all other drop rules is usually OK).
As a result I now have a specialized IP-blocklist that I maintain for the server you’re loading this from now, it contains addresses of net-users I don’t want spamming here, or don’t even want looking around wasting valuable server-resources.

This Post Has 3 Comments

  1. jult

    Welke router waar, in welke opzet?

  2. dennis

    tis druk op winmx!

    maar ueh, je zegt zelf dat je alles in je netfilter gaat flikkeren .. dus vertel .
    hoe wat waar? of bedoel je dat je geen home-server meer hebt draaien via je cable router / of adsl modem?

Leave a Reply