Questoin On Iptables
I am getting this error…
Try `iptables -h’ or ‘iptables –help’ for more information. iptables v1.4.7: Couldn’t load target
`Spamhaus’:/lib64/xtables/libipt_Spamhaus.so: cannot open shared object file: No such file
yum provides says not found also. CentOS 6.5 x86_64
Thoughts?
Thanks,
Jerry
5 thoughts on - Questoin On Iptables
I did not send the exact command I used but it is “yum provides /lib64/xtables/libipt_Spamhaus.so”
No matches found.
I am using this script to block spam:
#!/bin/bash IPTABLES=/sbin/iptables FILE=”/tmp/drop.txt”
URL=”http://www.spamhaus.org/drop/drop.txt”
$IPTABLES -D INPUT -j Spamhaus
$IPTABLES -D OUTPUT -j Spamhaus
$IPTABLES -D FORWARD -j Spamhaus
$IPTABLES -F Spamhaus
$IPTABLES -X Spamhaus
cd /tmp wget $URL
$IPTABLES -N Spamhaus
blocks=$(cat $FILE | egrep -v ‘^;’ | awk ‘{ print $1}’)
for ipblock in $blocks do
$IPTABLES -A Spamhaus -s $ipblock -j DROP
done
blocks=$(cat /etc/silentm/firewall_custom.conf | egrep -v ‘^;’ | awk ‘{
print $1}’)
for ipblock in $blocks do
$IPTABLES -A Spamhaus -s $ipblock -j DROP
done
$IPTABLES -I INPUT -j Spamhaus
$IPTABLES -I OUTPUT -j Spamhaus
$IPTABLES -I FORWARD -j Spamhaus
This script then outputs that error about the missing .so
jerry
Am 14.07.2014 23:13, schrieb Jerry Geis:
It means that your script is not correct[1] and by error tries to load a helper module which does not exist. So fix your script.
[1] “cat | grep | awk” constructs are far from being elegant.
Alexander
I think that these are not too bad.. And you can use xargs instead of a for loop.
If you have another suggestion you can throw the one-liner here.
Eliezer
Am 15.07.2014 01:51, schrieb Eliezer Croitoru:
The OP’s code snipplet:
blocks=$(cat $FILE | egrep -v ‘^;’ | awk ‘{ print $1}’)
for ipblock in $blocks do
$IPTABLES -A Spamhaus -s $ipblock -j DROP
done
Running without the pipe construct because awk can do that all by itself
(reading the source file and inverse greping):
while read ipblock do
$IPTABLES -A Spamhaus -s $ipblock -j DROP
done < <(awk '!/^;/ { print $1 }' $FILE) Alexander
Thanks Alexander,
Indeed you are right it can be done and with very big files it will mean a lot.
Also he might consider to use ipset instead of basic iptables to make the lookup a bit faster but it should be ok as it is.
Eliezer