A client uses fail2ban plus a number of other custom scripts to build his firewall to block unwanted access. The firewall table was getting very confusing for him as he didn’t know which script had blocked the IP at a glance.
I cleaned up his tables and created a chain for each script. Here is how I did it.
iptables -N spammer iptables -N Script-2-wp
We then add a rule to call the chain.
iptables -A INPUT -j Spammer iptables -A INPUT -j Script-2-wp
Now instead of just adding a rule to the default INPUT chain as follows;
iptables -A INPUT -s 184.108.40.206/24 -j DROP
We added it to the specific chain for the script doing the blocking.
iptables -A Spammer -s 220.127.116.11 -j DROP iptables -A Script-2-wp -s 18.104.22.168 -j DROP
Now when he uses grep with colour he can see which script created the entry without diving into the scripts individual logs (if present)
iptables -nvL | grep --color -E '22.214.171.124|$'
The above lines work but are missing lots of configuration options. For example we don’t specify protocol amongst other things. This was done to keep the example simple and easy to read. You may want to read up on the options and modify accordingly.
Playing with firewalls on a live server if you don’t know what you are doing can be dangerous. Please test/learn on a VPS or similiar before deploying to a live server.