<div dir="ltr">This is great. I had no idea `ipset` exists. And it looks like it has been backported to RHEL 6; I see some firewall re-writing in my future.</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 25, 2016 at 11:48 PM, Alex Carver <span dir="ltr"><<a href="mailto:agcarver+ale@acarver.net" target="_blank">agcarver+ale@acarver.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I would actually do something entirely different and use ipsets and the<br>
PREROUTING chain.<br>
<br>
Set up a new chain:<br>
<br>
iptables -N bad_test_scores<br>
iptables -A bad_test_scores -m set --match-set badtestscores src -j LOG<br>
--log-prefix="bad test score:"<br>
iptables -A bad_test_scores -m set --match-set badtestscores src -j REJECT<br>
iptables -A PREROUTING -j bad_test_scores<br>
<br>
The PREROUTING chain is ahead of the decision point to traverse FORWARD<br>
or INPUT. It will catch that IP so you don't need an additional squid<br>
entry.<br>
<br>
<br>
<br>
Then separately use ipset to add your IPs:<br>
<br>
ipset add badtestscores ${IP}<br>
<br>
or remove them:<br>
<br>
ipset del badtestscores ${IP}<br>
<br>
<br>
This part you can script with MQTT or similar and you won't have to<br>
touch iptables after the above setup. Just remember to properly<br>
sanitize your input.<br>
<div><div class="h5"><br>
On 2016-08-25 18:48, Chris Fowler wrote:<br>
> I'm trying to figure out the best way to add and remove iptables rules as required.<br>
><br>
> I use this block a laptop due to bad tests scores :)<br>
><br>
><br>
> IP=192.168.1.153<br>
> #iptables -P FORWARD DROP<br>
> iptables -I FORWARD -s 0/0 -d ${IP} -j DROP<br>
> iptables -I FORWARD -s ${IP} -d 0/0 -j DROP<br>
> # Squid<br>
> iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3128 -s ${IP}/32 -j REJECT<br>
> iptables -A INPUT -i eth0 -p udp -m udp --dport 3128 -s ${IP}/32 -j REJECT<br>
><br>
> First two stops routing. Second blocks squid access.<br>
><br>
> Normally I'll just do an iptables-restore, but I'm fail2ban andminiupnpd. The<br>
> restore blows away their rules.<br>
><br>
> Do I create a custom chain for INPUT and FORWARD and simply delete rules in<br>
> that? Using MQTT this will become push button and the wife will simply push a<br>
> button on and then off.<br>
><br>
><br>
><br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo</a><br>
><br>
<br>
______________________________<wbr>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/<wbr>listinfo</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">James Sumners<br><a href="http://james.sumners.info/" target="_blank">http://james.sumners.info/</a> (technical profile)<br><a href="http://jrfom.com/" target="_blank">http://jrfom.com/</a> (personal site)<br><a href="http://haplo.bandcamp.com/" target="_blank">http://haplo.bandcamp.com/</a> (music)</div>
</div>