Martin Kos pointed out to me that my Add blocklists from blocklist.de to iptables does not work when DNAT is used because the INPUT rules do not access or too late.
It should be better to drop the packets not only in INPUT, but already in the mangle PREROUTING table.
To accomplish this, only needs to add -t mangle
to iptables
and replace the chain INPUT
with PREROUTING
.
The following graph (http://l7-filter.sourceforge.net/PacketFlow.png) illustrates the packet flow in the kernel:
Customized the script is available here as download available.
Hi Florian, thanks for the script.
So I have downloaded the script and it ran fine. Do I need to add this to cron to run every hour or so?
You can run the script using cron to update the blocklists. It depends on the select blocklist how often they are changed. I use this as a daily cron.
Thanks Florian,
Everything seems good, however I am getting an error when running the script
blocklist.sh: line 125: echo: write error: Input/output error
And ideas? When I look at ip_list_tot it has the permissions of 400, not 600 like your script says it should.
Pingback: Fail2Ban How To: Increased Ban Times for Repeat Offenders | Walter's Rant-fest
Hallo, ich bekomm bei Version 1.1 immer folgende Fehlermeldung. Eine Idee woran das liegen könnte?
/etc/fail2ban/blocklist.sh: line 125: echo: write error: Input/output error
-r——– 1 root root 4096 Jan 18 12:08 ip_list_tot
LG Hauke
which os?
CentOS 6.7
For some reasons (i have no idea at the moment 😉 ), you can´t change any files in (at least) /proc/net using echo VALUE. You can set the limits when you load the kernel-modul. Set the modul-limits to a value like 10.000 or – maybe better – skip recent and add the ip´s into the chain. I will create a 2nd script that did not use xt_recent and publish on my git.
Hallo,
Thanks for this script, I’m trying to use it on Ubuntu but I cannot modify ip_list_tot (line 125 – 100 by default):
line 125: echo: write error: input/output error
I think I may change it upon reboot with some parameters somewhere but I was wondering if it could be done in another way within your script?
Cheers!
If you can not change the value with a simple echo, you also (re)load the module with different value for ip_list_tot.
Unload the module with
modprobe -r ipt_recent
and load the module with a different value (2000):modprobe ipt_recent ip_list_tot=2000
Try to can change the line
echo $MAX_IP > /sys/module/xt_recent/parameters/ip_list_tot
to
modprobe -r ipt_recent
modprobe ipt_recent ip_list_tot=$MAX_IP
Hi,
the modprobe -r ipt_recent results in “modprobe: FATAL: Module xt_recent is in use” on Ubuntu 16.04.
Is there any solution for it?
Sören
Hi,
ich habe dein Script gefunden und auf meinem Server getestet.
Kann ich irgendwie checken, ob die IP’s geblockt werden?
Wenn ich z.B. ‘iptables -L -n –line | grep 103.13.120.108’ ausführe bekomme ich jedenfalls keinen Treffer, obwohl die IP 103.13.120.108 auf der ssh blockliste ist.
Wenn ich das mit IP’s mache, die fial3ban geblockt hat, sehe ich hier eine Ausgabe.
Grüße
Tim
Check the recent-entries with cat /proc/net/xt_recent/JAIL
Hallo, super Script, vielen Dank. 🙂 Kleiner Verbesserungsvorschlag: Ich bekomme leider beim ersten Aufruf des Scripts nach einem Neustart immer folgende Fehlermeldung (siehe unten). Das wird man doch sicherlich irgendwie elegant abfangen können, oder? Das wäre eine schöne Ergänzung, über die mich mich zumindest freuen würden. MfG Hauke
chmod: cannot access `/sys/module/xt_recent/parameters/ip_list_tot’: No such file or directory
/etc/fail2ban/blocklist.sh: line 121: /sys/module/xt_recent/parameters/ip_list_tot: No such file or directory
chmod: cannot access `/sys/module/xt_recent/parameters/ip_list_tot’: No such file or directory
done. 😉
thx 🙂
Script link seems bad can you please update thanks.
The link is fine. But the server went down during holidays 😉
Hallo!
Vielleicht noch eine kleine Ergänzung. Um das Script bei mir in einem Crontab laufen zu lassen, musste ich noch eine PATH Variable hinzufügen.
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin .
Ansonsten wäre eine Log-Funktion sehr nett. Dadurch könnte man gleich sehen, was dein kleines und sehr nützliches Script tatsächlich ausmacht.
Grüßle
I don´t know why you the path. Usually iptables and wget should be inside the “normal” path.
Logging would be nice. I will add this to script even if it requieres logger.
The log-function and the path-variable are available with the latest release. Please see here for the script or checkout git.schaal-24.de
Ah, that solved my problem, thank you. I feel like an idiot, I didn’t think to check for the kernel module. I was convinced that there was some limit set somewhere, and I was Googling for the wrong things. Thanks again!
Hi, I’m having a bit of trouble, hoping you can help. When I run your script without modification, I get:
processing ssh
processing mail
insert rule for chain in PREROUTING
iptables: No chain/target/match by that name.
./blocklist: line 90: /proc/net/xt_recent/block-mail: No such file or directory
./blocklist: line 92: /proc/net/xt_recent/block-mail: No such file or directory
(last message repeated about 14000 times)
processing apache
insert rule for chain in PREROUTING
iptables: No chain/target/match by that name.
./blocklist: line 90: /proc/net/xt_recent/block-apache: No such file or directory
./blocklist: line 92: /proc/net/xt_recent/block-apache: No such file or directory
(last message repeated about 11000 times)
processing imap
insert rule for chain in PREROUTING
iptables: No chain/target/match by that name.
./blocklist: line 90: /proc/net/xt_recent/block-imap: No such file or directory
./blocklist: line 92: /proc/net/xt_recent/block-imap: No such file or directory
(repeated)
processing ftp
processing sip
processing bots
insert rule for chain in PREROUTING
iptables: No chain/target/match by that name.
./blocklist: line 90: /proc/net/xt_recent/block-bots: No such file or directory
./blocklist: line 92: /proc/net/xt_recent/block-bots: No such file or directory
(repeated)
processing strongips
processing ircbot
insert rule for chain in PREROUTING
iptables v1.4.20: Couldn’t load match `recent-m’:No such file or directory
Try `iptables -h’ or ‘iptables –help’ for more information.
./blocklist: line 90: /proc/net/xt_recent/block-ircbot: No such file or directory
When I ‘ls’ the directory /proc/net/xt_recent/, I get:
block-all
block-ftp
block-sip
block-ssh
block-strongips
When I ‘touch /proc/net/xt_recent/block-bots’, I get:
touch: cannot touch ‘block-bots’: No such file or directory
I think the problem may is not with your script, but with my configuration. I was hoping maybe you’ve seen this before, and could point me in the right direction.
May be this link helps you?
Pingback: Blocklisten von blocklist.de in iptables einbinden | florian @it