block_ip.sh and iptables, vesion 2.1 RC1

Why for centos 7 recommend to establish iptables instead of standard firewalld? On firewalld BMF work fine.
My block_ip.sh with small changed:

Code:
#!/bin/sh
#VERSION=2.1

BF=/root/blocked_ips.txt
EF=/root/exempt_ips.txt
OS=`uname`;

BLOCK_CHAIN=blocked_ips

curriptables()
{
	echo "<br><br><textarea cols=160 rows=60>";
	if [ "$OS" = "FreeBSD" ]; then
		/sbin/ipfw table 10 list
	else
		firewall-cmd --zone=public --list-all | grep drop
#		/sbin/iptables -nL
	fi
	echo "</textarea>";
}

if [ "$ip" = "" ]; then
        echo "No ip has been passed via env.";
        exit 1;
fi

### Do we have a block file?
if [ ! -e "$BF" ]; then
	echo "Cannot find $BF";
	exit 1;
fi

### Do we have an exempt file?
if [ ! -e "$EF" ]; then
        echo "Cannot find $EF";
        exit 1;
fi

### Make sure it's not exempt
COUNT=`grep -c "^${ip}\$" $EF`;
if [ "$COUNT" -ne 0 ]; then
        echo "$ip in the exempt list ($EF). Not blocking.";
        curriptables
        exit 2;
fi

### Make sure it's not alreaday blocked
COUNT=`grep -c "^${ip}=" $BF`;
if [ "$COUNT" -ne 0 ]; then
	echo "$ip already exists in $BF ($COUNT). Not blocking.";
	curriptables
	exit 2;
fi

echo "Blocking $ip ...<br>";
echo "$ip=dateblocked=`date +%s`" >> $BF;

if [ "$OS" = "FreeBSD" ]; then
	/sbin/ipfw -q table 10 add $ip
else
	echo "Adding $ip into ${BLOCK_CHAIN} chain...";
	firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="'$ip'" drop'
	firewall-cmd --reload
#	/sbin/iptables -A ${BLOCK_CHAIN} -s $ip -j DROP
fi

echo "<br><br>Result:";

curriptables

exit 0;
 
Back
Top