I thought I had the idea of how to add an IP to be dropped like
iptables but after some further reading, I am not sure.
I add IPs to iptables that I find are trying to hack into or abuse
the system by using a script to examine log files and compile a list
of IPs and add them to iptables. Of course that requires a restart
of iptables for the new rules to take effect.
I thought I could add the IPs to the DROP zone as sources. That
apparently is not what I should do. That leaves me with what I
should do and can it be done.
I have over 8000 host IPs that I drop using:
-A INPUT -s 222.221.2.210 -j DROP
-A INPUT -s 222.221.12.13 -j DROP
-A INPUT -s 222.221.12.104 -j DROP
-A INPUT -s 222.221.88.88 -j DROP
How do I drop connections to hosts that have abused the privilege of
connecting to a service?
I was using
for i in `grep DROP iptables | awk '{print $4}' | sort
-n -t. -k1,1 -k2,2 -k3,3 -k4,4`
do
firewall-cmd --permanent --zone=drop --add-source=${i}/32
done
That is extremely slow by the way since two files are written for
each add. Took a long time to add 8000+ records. It would be nice to
have a batch mode to do multiple inserts.
The public zone is still default. The network interface is in zone
home and my VPN connection is in zone work.
Any guidance is greatly appreciated.
John