From: Roan H. <Roan@Horning.us> - 2007-05-25 19:31:29
|
A php system() call of the iptables command below is what's needed, unfortunately this system call most likely needs to be run as root. Another approach is to have the ccHost code create a shell script file which contains a list of iptables commands. Then have a cron job run the script every so many minutes. The php generated shell script (call it "dropBot.sh") would look something like: -------------- next line down is first line of script--------------------- !#/bin/sh iptables -A INPUT -s <offending ip address> -j DROP iptables -A INPUT -s <offending ip address> -j DROP iptables -A INPUT -s <offending ip address> -j DROP iptables -A INPUT -s <offending ip address> -j DROP rm /<location of script>/dropBot.sh ----------------- previous line is last line of the script -------------------- The trickiest part for the php script that generates the dropBot.sh file is, it must regenerate the complete list iptables commands every time it adds an ip address since the last line of the script is used to erase the file, effectively resetting the list. Another way to do this is to have two shell scripts. One called by the cron program which then runs a dropBot.sh script ---------- runDropBot.sh is run as a cron job------------------------- !#/bin/sh /<location of script>/dropBot.sh rm /<location of script>/dropBot.sh ----------------------------------------------------------------------- -------------- dropBot.sh--------------------------------------------- !#/bin/sh iptables -A INPUT -s <offending ip address> -j DROP iptables -A INPUT -s <offending ip address> -j DROP ----------------------------------------------------- so the php script would check for the existence of dropBot.sh if it does not exist create a new dropBot.sh file that has the following first line: !#/bin/sh end if the rest of the script just appends a line: iptables -A INPUT -s <offending ip address> -j DROP to the file. The other thing to remember is the permissions must be set correctly for the scripts chmod 740 runDropBot.sh dropBot.sh is probably best which equals permissions for owner: read, write, execute; group: read; other: none owner/group for runDropBot.sh should be root owner/group for dropBot.sh should be whatever php runs under. Since runDropBot.sh will run as root, it will be able to execute the dropBot.sh script in /etc/crontab file include the following line to execute the runDropBot.sh script every 15 minutes: 0,15,30,45 * * * * root /<location of script>/runDropBot.sh On a similar note, below is a script which will take a series of space delimited ip addresses or domain names and runs the iptables command for each. Must be run as a user with iptables execute permissions (most likely the root user). ------- dropAddresses.sh -------- !#/bin/sh for arg in $* ; do iptables -A INPUT -s $arg -j DROP done ------------------------------------ Hope this is helpful, Roan Victor Stone wrote: > On 5/24/07, Jon Phillips <jo...@cr...> wrote: > >> This makes sense. Wheres the code for the auto-iptables add? >> > > I don't know enough about unix shell to even pull that off. > > I type it in manually at the terminal command line > > some examples > > iptables -A INPUT -s 66.231.189.64 -j DROP > iptables -A INPUT -s 71.13.115.117 -j DROP > iptables -A INPUT -s 220.181.0.0/255.255.0.0 -j DROP > iptables -A INPUT -s 85.214.42.112 -j DROP > > > VS > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Cctools-cchost mailing list > Cct...@li... > https://lists.sourceforge.net/lists/listinfo/cctools-cchost > |