The typical log file entry looks like this (all on one line). Note, the x's replace the real mac and source ip just for anonymity.

You could probably use something like this:

#!/usr/bin/perl
use warnings;
use strict;
#
# This script grabs ip addresses from my firewall log file
# and adds them to a blacklist for my iptables ruleset.
#
## NOTE - This script must be run as root

use Socket;

# Check to make sure root is running this
$< and die "You must run this program as root!\n";


my $log       = '/var/log/iptables.log';
my $blacklist = '/var/log/blacklist';

# Open log file, retrieve list of ip addresses and write them
# to the blacklist
open IN, "<",  $log or die "Can not open $log $!";
my %seen;
while ( <IN> ) {
    next unless /\S/;
    if ( /SRC=([0-9.]+) / ) {
        next if $1 =~ /^192\.168/;
        $seen{ inet_aton( $1 ) }++;
        }
    }
close IN;

# Sort my list of IP addresses
my @sorted =
    map inet_ntoa( $_ ),
    sort
    keys %seen;

# Create clean blacklist file and append iptables rules
open BL, '>', $blacklist or die "Cannot open $blacklist $!";

foreach my $ip ( @sorted ) {
    print BL "$ip\n";
    0 == system '/sbin/iptables', '-A', 'BLACKLIST', '-p', 'all', '-s'
+, $ip, '-d', '0/0', '-j', 'LOG', '--log-prefix', 'IPTABLES:Blacklist:
+ '
        or die "system /sbin/iptables failed: $?";
    0 == system '/sbin/iptables', '-A', 'BLACKLIST', '-p', 'all', '-s'
+, $ip, '-d', '0/0', '-j', 'DROP'
        or die "system /sbin/iptables failed: $?";
    }

close BL;
chmod 0600, $blacklist;
[download]

jwkrahn, thank you very much for your suggestion. I need to study the Socket module to understand some of what you suggested.

Also, the test for root line has me a bit confused so I need to research that as well.

Finally, I like the format that you used for the system calls. It just seems to be a bit cleaner.

Again, thank you for your help!