iptables: checking if a IP is blocked in firewall

You could use ipaddr with python.

First you list the rules you are interested in with iptables -S (that will list single IPs as /32, which comes in handy):

Then you feed the blocks to this python script, check_ip.py. It checks if the first parameter (the address) belongs to the second parameter (the block) and exits with code 0 or 1.

#!/bin/python3

import ipaddress
import sys

sys.exit(ipaddress.ip_address(sys.argv[1]) in ipaddress.ip_network(sys.argv[2],strict=False))

You can then connect those two pieces.

The following is a quickly written bash command line, but you could also move the whole code to python, or use xargs, ...

iptables -S | grep DROP | awk '{print $4,$0}' | while read a b; do python3 check_ip.py IP.ADDR.TO.CHECK $a || echo $b; done

My recommendation is to precede the firewall rule with another rule designed to log such packet drops. Instead of:

iptables -A INPUT -s "163.172.000.000/16" -j DROP

The preferred way to reject traffic should be:

iptables -N logNdrop
iptables -A logNdrop -j LOG --log-level 5 --log-prefix 'Packet dropped: '
iptables -A logNdrop -j DROP
iptables -A INPUT -s "163.172.000.000/16" -j logNdrop

That will allow you to look for IP blocking occurrences in files such as /var/log/messages, depending on how your syslog daemon is configured:

# egrep 'Packet dropped: .* SRC=163.172.181.190 ' /var/log/messages
# tail -F /var/log/messages | egrep 'Packet dropped: .* SRC=163.172.181.190 '