Snap! Websites
An Open Source CMS System in C++
The iplock tool is a very simple to use executable used to add or remove IP addresses to your iptables firewall to protect your services such as Apache and Postfix and all local systems.
The tool reads a set of configuration files under /etc/iplock/... where iptables commands and ports are defined. It is used by the tool to generate the iptables commands to run in order to block or unblock a set of IP addresses.
The current version supports any number of configurations that can apply blocks in any number of firewall chains. The default offers blocks for specific sets of ports as defined by:
You can get the source it from GitHub iplock or get the pre-compiled package for Ubuntu from launchpad (packages).
The usage of the tool is very simple:
iplock [-r|-b] ip-address ...
The -r (or --remove) is used to remove the list of ip-addresses from the iptables firewall.
The -b (or --block) is used to add the list of ip-addresses to the iptables firewall. Blocking is the default when no options are specified.
The tool also understands -h (or --help) and displays usage in that case.
At this time, the IP addresses are limited to IPv4, but the tool will be extended to support IPv6 addresses and most certainly masks (i.e. 1.2.0.0/15 is not currently supported.)
This tool is used for security reasons. We do not want a standard service, such as snapfirewall, to be able to change the firewall directly. This tool can become root as required to change the firewall for such services. Your Apache or Postfix tools should not be directly capable of such a feat.
The configuration file currently supports 3 variables that must be defined:
TODO: update these because it has evolved quite a bit since I wrote it.
A set of comma separated ports. You can also include spaces.
Example to block the IP address of your Web server on standard and SSL ports:
ports=80, 443
If no ports are defined in the ports variable, then no block or unblock commands will run.
There are no default ports.
The block variable is to be set to the iptables command line that will block this user in your firewall. An extension will be to offer several commands so one could block multiple servers.
Example to block IP addresses on eth0 in a list called spammers:
block=iptables -t filter -A spammers -i eth0 -p tcp -m tcp
-s [ip] --dport [port] --syn -j DROP
IMPORTANT: the command line must be written on a single line.
The block and unblock commands can include the special entries [ip] and [port] which will be replaced by the IP address as passed on the command line and the ports as defined in the ports variable.
Note that the -j command will depend on your taste. It could be -j REJECT too. You could also implement some other fun things. The DROP is a good idea because the sender has to timeout which can be a very long time (minutes!) You may also send them to another target which will record the hacker hits.
There is no default block command.
This is essentially the same as the block variable, only it is used to remove the IP address from your firewall. Some tools may consider that after a certain amount of time an IP address can be considered safe and thus remove it from its firewall1.
Example to unblock IP addresses on br3 in a list called DoS:
unblock=iptables -t filter -D DoS -i br3 -p tcp -m tcp
-s [ip] --dport [port] --syn -j DROP
IMPORTANT: the command line must be written on a single line.
In most cases, the iptables order to unblock is exactly the same as the one to block except for the -A option that becomes -D.
There is no default unblock command.
There is another project that can be used to extend the xtables capabilities, it is called xtables-addons. This can be used to check IPs with many additional checks including, for example, a geographic location of the IP or quotas.
The project is already pretty mature and can be used on a production system.
Snap! Websites
An Open Source CMS System in C++
