Search code examples
linuxparsingfirewalliptableswhois

how to parse whois command & use that data

I have some idea. But my small knowledge of bash, does not give me the desired result. Look. I use nslookup command for get the ip of site. 

nslookup facebook.com

Server:         xxx.xxx.xxx.xxx
Address:        xxx.xxx.xxx.xxx#53

Non-authoritative answer:
Name:   facebook.com
Address: 69.171.230.68

Next step, that take value "origin".

whois -h whois.radb.net 69.171.230.68

[Querying whois.radb.net]
[whois.radb.net]
route:      69.171.224.0/20
descr:      Facebook, Inc
origin:     AS32934
mnt-by:     MAINT-AS32934
changed:    jj@fb.com 20110530  #01:29:45Z
source:     RADB

You can see, origin: AS32934

And next step, it is list of site networks:

whois -h whois.radb.net '!gAS32934' | grep /

204.15.20.0/22 69.63.176.0/20 66.220.144.0/20 66.220.144.0/21 69.63.184.0/21 69.63.176.0/21 74.119.76.0/22 69.171.255.0/24 173.252.64.0/18 69.171.224.0/19 69.171.224.0/20 103.4.96.0/22 69.63.176.0/24 173.252.64.0/19 173.252.70.0/24 31.13.64.0/18 31.13.24.0/21 66.220.152.0/21 66.220.159.0/24 69.171.239.0/24 69.171.240.0/20 31.13.64.0/19 31.13.64.0/24 31.13.65.0/24 31.13.67.0/24 31.13.68.0/24 31.13.69.0/24 31.13.70.0/24 31.13.71.0/24 31.13.72.0/24 31.13.73.0/24 31.13.74.0/24 31.13.75.0/24 31.13.76.0/24 31.13.77.0/24 31.13.96.0/19 31.13.66.0/24 173.252.96.0/19 69.63.178.0/24 31.13.78.0/24 31.13.79.0/24 31.13.80.0/24 31.13.82.0/24 31.13.83.0/24 31.13.84.0/24 31.13.85.0/24 31.13.86.0/24 31.13.87.0/24 31.13.88.0/24 31.13.89.0/24 31.13.90.0/24 31.13.91.0/24 31.13.92.0/24 31.13.93.0/24 31.13.94.0/24 31.13.95.0/24 69.171.253.0/24 69.63.186.0/24 31.13.81.0/24 179.60.192.0/22 179.60.192.0/24 179.60.193.0/24 179.60.194.0/24 179.60.195.0/24 185.60.216.0/22 45.64.40.0/22 185.60.216.0/24 185.60.217.0/24 185.60.218.0/24 185.60.219.0/24 129.134.0.0/16 157.240.0.0/16 204.15.20.0/22 69.63.176.0/20 69.63.176.0/21 69.63.184.0/21 66.220.144.0/20 69.63.176.0/20

Finally, we drop all destinations ip. I want make that process automatically. But, how to parse that value "origin" ? I need to use it in my iptables firewall.

Solution

  • You can do this with shell scripts. First of all, to get the network address use awk to filter the nslookup output, printing the second token on the Address: line. Note that there is more than one address line, so use tail to pick the last one only. The $() construct is used to put the result into the $address variable.

    address=$(nslookup facebook.com | awk '/Address:/ {print $2}' | tail -1)

    Similarly use $address as a parameter to whois and filter the output again.

    origin=$(whois -h whois.radb.net $address | awk '/origin:/ {print $2}')