Multiple ip ban, read from file IP's -> ban in iptables

Simple, direct, one line solution:

for IP in $(cat ip_list); do iptables -A INPUT -s $IP/32 -d 0/0 -j DROP; done

This will block any communication from the ip addresses on any protocol or port.

But maybe you should think about doing a proper firewall script using iptables-save and iptables-restore or even Shorewall.

EDIT: The same line, verbose:

for IP in $(cat ip_list); do echo "Banning $IP"; iptables -A INPUT -s $IP/32 -d 0/0 -j DROP; done

Try this

#!/bin/bash
while read ipaddr
do
    /sbin/iptables -I INPUT -s $ipaddr -j DROP
done </path/to/iplist-to-drop | sort | uniq
~

Or using a separate chain

#!/bin/bash

/sbin/iptables -N Dropped-From-File
/sbin/iptables -I INPUT -s 0.0.0.0/0 -j Dropped-From-File
while read ipaddr
do

    /sbin/iptables -I Dropped-From-File -s $ipaddr -j DROP
done </path/to/iplist-to-drop | sort | uniq


/sbin/iptables -A Dropped-From-File -j RETURN

you could also use module ipset ( http://ipset.netfilter.org/ ). When list of ip addresses gets long, matching them one by one with individual iptables rules will lead to degraded performance. Ipset should perform much better. Also, with ipset you can reload addresses at any time without touching your rules.

Even if you dont want to bother with ipset, it is better to drop banned addresses in iptables "raw" table. This way, connection tracking framework will not see them and won't create state records you'll never need. This should also improve performance in case the firewall has to handle lots of traffic.

It is better to use ipset and table raw, as vadimk said. Here is how you do it

apt-get install ipset
ipset -N badips iphash
while read ip; do ipset -A badips "$ip"; done < badips.txt
iptables -t raw -I PREROUTING -m set --match-set badips src,dst -j DROP

To make this rules persistent on reboot on Debian 7 i had to use modified iptables-persistent

/etc/init.d/iptables-persistent save