So I have the following script that blocks IPs:
#!/bin/bash
# here's your list of IPS
CURRENT_BL=/path/to/my/ip_black_list.txt
# create/flush recreate the tables
iptables -F BLACKHOLE
iptables -N BLACKHOLE
for BAD_IP in $(cat $CURRENT_BL)
do
ipset add ipset-blacklist $BAD_IP 2>/dev/null || \
echo "Failed to add ${BAD_IP}"
done
# REJECT the matching target
iptables -A BLACKHOLE -p all -m set --match-set ipset-blacklist src -j REJECT
iptables -A BLACKHOLE -j RETURN
# assume your nginx is on 80 and 443
iptables -A INPUT -p tcp -m multiport --destination-ports 80,443 -j BLACKHOLE
iptables -A INPUT -p tcp -m multiport --destination-ports 80,443 -j ACCEPT
The ipset was created with the following command:
ipset create ipset-blacklist hash:ip
It is all working fine with IPv4 now but the problem is wiht IPv6, I am getting the following error – Syntax error: cannot parse 2003:e6:6f03:7b80:21dc:54c8:ac26:552b: resolving to IPv4 address failed
How can I make this script to read both types of IPs?
Best Answer
You need to create the ipset using the following command:
The option
family { inet | inet6 }
defines the protocol family of the IP addresses to be stored in the set. By default it isinet
(IPv4). For more info, you can seeman ipset
.Also, you need to use
ip6tables
instead ofiptables
. Otherwise, you will get an error similar to this (I created a test6 ipset with family inet6)