Automating IP Blocking with iptables Using a Bash Script

iptables works by filtering packets based on header information and user‑defined rules.

The following Bash script monitors the Nginx access log, extracts IP addresses that exceed a request threshold, and automatically adds them to the iptables INPUT chain to drop traffic.

#!/bin/bash
. /etc/init.d/functions
conut=100
Path=/usr/local/nginx/logs/access.log
function ipt(){
    awk '{print $1}' $Path | sort | uniq -c | sort -rn >/tmp/tmp.log
    exec < /tmp/tmp.log
    while read line; do
        ip=$(echo $line | awk '{print $2}')
        if [ $(echo $line | awk '{print $1}') -ge $conut -a $(iptables -L -n | grep "$ip" | wc -l) -lt 1 ]; then
            iptables -I INPUT -s $ip -j DROP
            RETVAL=$?
            if [ $RETVAL -eq 0 ]; then
                action "iptables -I INPUT -s $ip -j DROP" /bin/true
                echo "$ip" >> /tmp/ip_$(date +%F).log
            else
                action "iptables -I INPUT -s $ip -j DROP" /bin/false
            fi
        fi
    done
}
function del(){
    [ -f /tmp/ip_$(date +%F -d '-1 day').log ] || { echo "log is not exist"; exit 1; }
    exec </tmp/ip_$(date +%F -d '-1 day').log
    while read line; do
        if iptables -L -n | grep "$line" | wc -l -ge 1; then
            iptables -D INPUT -s $line -j DROP
        fi
    done
}
function main(){
    flag=0
    while true; do
        sleep 180
        ((flag++))
        ipt
        [ $flag -ge 480 ] && del && flag=0
    done
}
main

The script runs continuously, checking every three minutes, and resets the counter after eight hours (480 × 180 seconds). A more robust solution would be to use nginx with Lua for IP interception or deploy dedicated security software.