iplock firewall tool

Hammer with a forbidden sign on top.The iplock tool is a very simple executable used to add or remove IP addresses to your iptables firewall to protect your services such as Apache and Postfix.

The tool reads a configuration file (/etc/network/iplock.conf) where iptables commands and ports are defined. It is used by the tool to generate the iptables commands to run in order to block or unblock a set of IP addresses.

You can download it from SourceForge.net: iplock or get the package for Ubuntu from launchpad (packages).

The usage of the tool is very simple:

iplock [-r|-b] ip-address ...

The -r (or --remove) is used to remove the list of ip-addresses from the iptables firewall.

The -b (or --block) is used to add the list of ip-addresses to the iptables firewall. Blocking is the default when no options are specified.

The tool also understands -h (or --help) and displays usage in that case.

At this time, the IP addresses are limited to IPv4, but the tool will be extended to support IPv6 addresses and most certainly masks (i.e. 1.2.0.0/15 is not currently supported.)

This tool is used for security reasons. We do not want a standard server to be able to change the firewall. This tool can become root as required to change the firewall. Your Apache or Postfix tools should not be capable of such a feat.

The configuration file currently supports 3 variables that must be defined:

1) ports

A set of comma separated ports. You can also include spaces.

Example to block the IP address of your Web server on standard and SSL ports:

ports=80, 443

If no ports are defined in the ports variable, then no block or unblock commands will run.

There are no default ports.

2) block

The block variable is to be set to the iptables command line that will block this user in your firewall. An extension will be to offer several commands so one could block multiple servers.

Example to block IP addresses on eth0 in a list called spammers:

block=iptables -t filter -A spammers -i eth0 -p tcp -m tcp
                               -s [ip] --dport [port] --syn -j DROP

IMPORTANT: the command line must be written on a single line.

The block and unblock commands can include the special entries [ip] and [port] which will be replaced by the IP address as passed on the command line and the ports as defined in the ports variable.

Note that the -j command will depend on your taste. It could be -j REJECT too. You could also implement some other fun things. The DROP is a good idea because the sender has to timeout which can be a very long time (minutes!) You may also send them to another target which will record the hacker hits.

There is no default block command.

3) unblock

This is essentially the same as the block variable, only it is used to remove the IP address from your firewall. Some tools may consider that after a certain amount of time an IP address can be considered safe and thus remove it from its firewall1.

Example to unblock IP addresses on br3 in a list called DoS:

unblock=iptables -t filter -D DoS -i br3 -p tcp -m tcp
                               -s [ip] --dport [port] --syn -j DROP

IMPORTANT: the command line must be written on a single line.

In most cases, the iptables order to unblock is exactly the same as the one to block except for the -A option that becomes -D.

There is no default unblock command.

Other Project of Interest in that arena

There is another project that can be used to extend the xtables capabilities, it is called xtables-addons. This can be used to check IPs with many additional checks including, for example, a geographic location of the IP or quotas.

The project is already pretty mature and can be used on a production system.

  • 1. Also, it is to be noted that if too many IP addresses are added to your iptables, it gets slow.
Syndicate content

Snap! Websites
An Open Source CMS System in C++

Contact Us Directly