From 58cadfeca349b3f2d5dbf8083e16af11926d2c9e Mon Sep 17 00:00:00 2001
From: "bruns@2mbit.com" <bruns@2mbit.com@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Sun, 30 Aug 2009 00:52:40 +0000
Subject: [PATCH] Added new options for blocked IPs

---
 ChangeLog       |  1 +
 blocked         |  1 +
 options.default |  3 +++
 rc.firewall     | 12 ++++++++++++
 4 files changed, 17 insertions(+)
 create mode 100644 blocked

diff --git a/ChangeLog b/ChangeLog
index 812c490..baeab03 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 0.6 - Brielle Bruns <bruns@2mbit.com>
 	- Fixed some potential ordering issues with NAT
+	- Added file for blocked IPs, plus new config option
 
 0.5 - Brielle Bruns <bruns@2mbit.com>
 	- Fixing ipv6 UDP firewalling rules
diff --git a/blocked b/blocked
new file mode 100644
index 0000000..bd47c05
--- /dev/null
+++ b/blocked
@@ -0,0 +1 @@
+# List of IPs to block outright
diff --git a/options.default b/options.default
index 8725c85..918c5a4 100755
--- a/options.default
+++ b/options.default
@@ -52,6 +52,9 @@ NATRANGE="192.168.1.0/24"
 NATEXTIP="172.16.1.1"
 NATEXTIF="eth0"
 
+# IP Ranges to block all traffic incoming/outgoing
+BLOCKEDIP=$BASEDIR/blocked
+
 
 # IPv6 related features.  Commenting out IPV6 variable disables ALL
 # IPv6 related items
diff --git a/rc.firewall b/rc.firewall
index 028e97b..bc8715a 100755
--- a/rc.firewall
+++ b/rc.firewall
@@ -33,6 +33,18 @@ for i in $TRUSTEDIP; do
 done
 echo -ne "\n"
 
+echo -n "Adding blocked IPs: "
+
+if [ $BLOCKEDIP ]; then
+	for i in `grep -v "\#" $BLOCKEDIP`; do
+		echo -n "$i"
+		$IPTABLES -A INPUT -s $i -j DENY
+		$IPTABLES -A OUTPUT -d $i -j DENY
+	done
+fi
+
+echo -ne "\n"
+
 if [ $CLAMPMSS ]; then
 	echo "Clamping MSS to PMTU..."
 	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \