You could probably use something like this:
#!/usr/bin/perl
use warnings;
use strict;
#
# This script grabs ip addresses from my firewall log file
# and adds them to a blacklist for my iptables ruleset.
#
## NOTE - This script must be run as root
use Socket;
# Check to make sure root is running this
$< and die "You must run this program as root!\n";
my $log = '/var/log/iptables.log';
my $blacklist = '/var/log/blacklist';
# Open log file, retrieve list of ip addresses and write them
# to the blacklist
open IN, "<", $log or die "Can not open $log $!";
my %seen;
while ( <IN> ) {
next unless /\S/;
if ( /SRC=([0-9.]+) / ) {
next if $1 =~ /^192\.168/;
$seen{ inet_aton( $1 ) }++;
}
}
close IN;
# Sort my list of IP addresses
my @sorted =
map inet_ntoa( $_ ),
sort
keys %seen;
# Create clean blacklist file and append iptables rules
open BL, '>', $blacklist or die "Cannot open $blacklist $!";
foreach my $ip ( @sorted ) {
print BL "$ip\n";
0 == system '/sbin/iptables', '-A', 'BLACKLIST', '-p', 'all', '-s'
+, $ip, '-d', '0/0', '-j', 'LOG', '--log-prefix', 'IPTABLES:Blacklist:
+ '
or die "system /sbin/iptables failed: $?";
0 == system '/sbin/iptables', '-A', 'BLACKLIST', '-p', 'all', '-s'
+, $ip, '-d', '0/0', '-j', 'DROP'
or die "system /sbin/iptables failed: $?";
}
close BL;
chmod 0600, $blacklist;