Questoin On Iptables

Home » CentOS » Questoin On Iptables
CentOS 5 Comments

I am getting this error…

Try `iptables -h’ or ‘iptables –help’ for more information. iptables v1.4.7: Couldn’t load target
`Spamhaus’:/lib64/xtables/libipt_Spamhaus.so: cannot open shared object file: No such file

yum provides says not found also. CentOS 6.5 x86_64

Thoughts?
Thanks,

Jerry

5 thoughts on - Questoin On Iptables

  • I did not send the exact command I used but it is “yum provides /lib64/xtables/libipt_Spamhaus.so”
    No matches found.

    I am using this script to block spam:
    #!/bin/bash IPTABLES=/sbin/iptables FILE=”/tmp/drop.txt”
    URL=”http://www.spamhaus.org/drop/drop.txt”

    $IPTABLES -D INPUT -j Spamhaus
    $IPTABLES -D OUTPUT -j Spamhaus
    $IPTABLES -D FORWARD -j Spamhaus
    $IPTABLES -F Spamhaus
    $IPTABLES -X Spamhaus

    cd /tmp wget $URL
    $IPTABLES -N Spamhaus

    blocks=$(cat $FILE | egrep -v ‘^;’ | awk ‘{ print $1}’)
    for ipblock in $blocks do
    $IPTABLES -A Spamhaus -s $ipblock -j DROP
    done

    blocks=$(cat /etc/silentm/firewall_custom.conf | egrep -v ‘^;’ | awk ‘{
    print $1}’)
    for ipblock in $blocks do
    $IPTABLES -A Spamhaus -s $ipblock -j DROP
    done

    $IPTABLES -I INPUT -j Spamhaus
    $IPTABLES -I OUTPUT -j Spamhaus
    $IPTABLES -I FORWARD -j Spamhaus

    This script then outputs that error about the missing .so

    jerry

  • Am 14.07.2014 23:13, schrieb Jerry Geis:

    It means that your script is not correct[1] and by error tries to load a helper module which does not exist. So fix your script.

    [1] “cat | grep | awk” constructs are far from being elegant.

    Alexander

  • I think that these are not too bad.. And you can use xargs instead of a for loop.

    If you have another suggestion you can throw the one-liner here.

    Eliezer

  • Am 15.07.2014 01:51, schrieb Eliezer Croitoru:

    The OP’s code snipplet:

    blocks=$(cat $FILE | egrep -v ‘^;’ | awk ‘{ print $1}’)
    for ipblock in $blocks do
    $IPTABLES -A Spamhaus -s $ipblock -j DROP
    done

    Running without the pipe construct because awk can do that all by itself
    (reading the source file and inverse greping):

    while read ipblock do
    $IPTABLES -A Spamhaus -s $ipblock -j DROP
    done < <(awk '!/^;/ { print $1 }' $FILE) Alexander

  • Thanks Alexander,

    Indeed you are right it can be done and with very big files it will mean a lot.

    Also he might consider to use ipset instead of basic iptables to make the lookup a bit faster but it should be ok as it is.

    Eliezer