Sometimes this script fails to update the iptables
Posted
by
AlJo
on Server Fault
See other posts from Server Fault
or by AlJo
Published on 2014-08-24T23:33:28Z
Indexed on
2014/08/25
4:22 UTC
Read the original article
Hit count: 683
iptables
|spam-prevention
It does not happen often, but sometimes after running the below script, checking the iptables with service iptables status shows that they weren't updated and the script doesn't output any error.
The iptables is structured as look-up tree (long repeated sections snipped):
#!/bin/sh
iptables -t nat -F
iptables -t nat -X
iptables -F
iptables -X
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 93.225.0.0/16 -j ACCEPT
iptables -A INPUT -s 15.102.0.0/16 -j ACCEPT
iptables -A INPUT -s 47.122.0.0/16 -j ACCEPT
iptables -N MY_CHAIN_L1-0
iptables -N MY_CHAIN_L1-1
iptables -N MY_CHAIN_L1-2
iptables -N MY_CHAIN_L1-3
iptables -N MY_CHAIN_L1-4
iptables -N MY_CHAIN_L1-5
iptables -N MY_CHAIN_L1-6
iptables -N MY_CHAIN_L1-7
iptables -N MY_CHAIN_L1-8
iptables -N MY_CHAIN_L1-9
iptables -N MY_CHAIN_L1-10
iptables -N MY_CHAIN_L1-11
iptables -N MY_CHAIN_L1-12
iptables -N MY_CHAIN_L1-13
iptables -N MY_CHAIN_L1-14
iptables -N MY_CHAIN_L1-15
iptables -N MY_CHAIN_L1-16
iptables -N MY_CHAIN_L1-17
iptables -N MY_CHAIN_L1-18
iptables -N MY_CHAIN_L1-19
iptables -N MY_CHAIN_L1-20
iptables -N MY_CHAIN_L1-21
iptables -N MY_CHAIN_L1-22
iptables -N MY_CHAIN_L1-23
iptables -N MY_CHAIN_L1-24
iptables -N MY_CHAIN_L1-25
iptables -N MY_CHAIN_L1-26
iptables -N MY_CHAIN_L1-27
iptables -N MY_CHAIN_L1-28
iptables -N MY_CHAIN_L1-29
iptables -N MY_CHAIN_L1-30
iptables -N MY_CHAIN_L1-31
iptables -N MY_CHAIN_L1-32
iptables -N MY_CHAIN_L1-33
iptables -N MY_CHAIN_L1-34
iptables -N MY_CHAIN_L1-35
iptables -N MY_CHAIN_L1-36
iptables -N MY_CHAIN_L1-37
iptables -A INPUT -m iprange --src-range 1.54.96.0-5.133.179.255 -j MY_CHAIN_L1-0
iptables -A INPUT -m iprange --src-range 5.133.180.0-24.113.159.255 -j MY_CHAIN_L1-1
[snip]
iptables -A INPUT -m iprange --src-range 195.13.45.0-198.11.255.255 -j MY_CHAIN_L1-29
iptables -A INPUT -m iprange --src-range 198.12.64.0-199.19.215.255 -j MY_CHAIN_L1-30
iptables -A INPUT -m iprange --src-range 199.21.96.0-200.31.3.255 -j MY_CHAIN_L1-31
iptables -A INPUT -m iprange --src-range 200.31.11.0-202.171.255.255 -j MY_CHAIN_L1-32
iptables -A INPUT -m iprange --src-range 203.130.134.192-206.212.255.255 -j MY_CHAIN_L1-33
iptables -A INPUT -m iprange --src-range 206.214.64.0-211.155.95.255 -j MY_CHAIN_L1-34
iptables -A INPUT -m iprange --src-range 212.19.128.0-216.176.191.255 -j MY_CHAIN_L1-35
iptables -A INPUT -m iprange --src-range 216.189.0.0-218.23.255.255 -j MY_CHAIN_L1-36
iptables -A INPUT -m iprange --src-range 218.30.96.0-223.255.231.255 -j MY_CHAIN_L1-37
iptables -A MY_CHAIN_L1-0 -s 1.54.96.0/20 -j DROP
iptables -A MY_CHAIN_L1-0 -s 1.208.0.0/12 -j DROP
iptables -A MY_CHAIN_L1-0 -s 1.224.0.0/11 -j DROP
[snip]
iptables -A MY_CHAIN_L1-0 -s 5.133.178.0/23 -j DROP
iptables -A MY_CHAIN_L1-0 -j ACCEPT
iptables -A MY_CHAIN_L1-1 -s 5.133.180.0/22 -j DROP
iptables -A MY_CHAIN_L1-1 -s 5.135.0.0/16 -j DROP
iptables -A MY_CHAIN_L1-1 -s 5.153.232.0/21 -j DROP
[snip]
iptables -A MY_CHAIN_L1-1 -s 24.113.128.0/19 -j DROP
iptables -A MY_CHAIN_L1-1 -j ACCEPT
.
.
.
iptables -A MY_CHAIN_L1-29 -s 195.13.45.0/24 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.20.224.0/19 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.31.216.0/26 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.58.245.0/24 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.60.164.0/23 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.60.240.0/22 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.62.10.0/23 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.110.30.0/23 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.154.0.0/16 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.190.13.0/24 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.211.152.0/22 -j DROP
iptables -A MY_CHAIN_L1-1 -j ACCEPT
[snip more of same to end of script]
Can anyone see why this script would silently fail to update the iptables sometimes? Maybe it's not the script?
Thanks
© Server Fault or respective owner
