This document describes the integration process of the ThreatSTOP IP Defense with IP Tables on Ubuntu


The goal of this document is to walk you through the configuration of your IPTables firewall and the setup of your management server using ThreatSTOP provided scripts. Once this setup has been completed your environment will begin receiving target list updates every two hours, and will be protected by ThreatSTOP.

We have written some shell scripts to prepare iptables, get your block lists, and use the results to create rules for iptables. You can download the scripts here. If this is a new device, please allow up to 15 minutes for our systems to be updated.


ThreatSTOP is compatible with the following versions of IP Tables on Linux:

Minimum 1.4
Recommended 1.4.10

Quick Setup

Cut and paste the following line into your CLI. Your device will then setup files and run the script to begin protecting your network.

curl -o ts-iptables.tar.gz ; tar xzvf ts-iptables.tar.gz ; sudo dpkg -i ts-iptables_4.15-02_all.deb; cd /opt/threatstop; sudo ./ --blocklist <block list name>.<ThreatSTOP account ID>.threatstop.local --allowlist <allow list name>.<ThreatSTOP account ID>.threatstop.local

As with any Linux configuration the first step in configuring the management appliance is to apply the latest patches for the distribution. You will also need to gather any missing library files for the setup Perl script. To do this:

  • Connect to the new virtual machine and login with your chosen credentials.
  • At the command prompt enter the following commands, pressing ENTER between each command.
    sudo apt-get update
    sudo apt-get upgrade
    sudo apt-get install libswitch-perl libtest-lwp-useragent-perl ipset libnet-dns-perl rsyslog

Once the management appliance has been patched you will need to setup the device in the Portal using the setup steps provided in ThreatSTOP Portal Introduction. Once the device has been configured in the portal we can proceed with the installation of the ThreatSTOP application.

  • Test the connection from your management appliance to our network using the command:
  • Verify that the IP address is in the list of authorized hosts.

Testing the Connection

To test that a connection can be made successfully between your VM and ThreatSTOP enter:


Installing ThreatSTOP for iptables

ThreatSTOP can interface with a large number of management devices. One of the most readily available of these is built into Linux itself: iptables is a strong, prolific, and free, firewall software that is available in every Linux distro. To make use of this powerful utility you will need to perform the following steps:

  • Login to the Virtual Machine.
  • Enter the following commands:
    curl -o ts-iptables.tar.gz 
    tar xzvf ts-iptables.tar.gz
    sudo dpkg -i ts-iptables_4.15-02_all.deb
  • As the threatstop user, begin the setup process by entering:
    cd /opt/threatstop

An introduction screen will appear and a few brief checks will be run to verify that various settings are in place to allow the script to run. After which, you will begin configuring the System utilities. Unless you have specifically installed these utilities elsewhere, use the provided defaults for file locations. The utilities mentioned are a mix of what we downloaded above, and standard utilities distributed with most Linux based distributions. After the System Utilities are configured, the User required parameters will be configured.

  • Accept the default for the ThreatSTOP IP set prefix.
    Please enter the ThreatSTOP ipset prefix
  • Provided that your connection to ThreatSTOP is open via port 80, the following parameters will be automatically populated with data from your account. Both fields may be accepted without issue. If your connection is blocked you will need to contact support for the correct values to enter.
    • ThreatSTOP Block list parameter: default
    • ThreatSTOP Allow list parameter: default
  • Please enter the ThreatSTOP block list parameter
    [basic.threatstop.local] <block list name>.<ThreatSTOP account ID>.threatstop.local
    Please enter the ThreatSTOP allow list parameter
    [dns.threatstop.local] <allow list name>.<ThreatSTOP account ID>.threatstop.local
  • Set the maximum policy size your system is able to handle. The default is likely to be OK so tap ENTER.
    Please enter the ThreatSTOP max policy size parameter
  • Accept the default location for the ThreatSTOP log file by tapping ENTER.
    Please enter ThreatSTOP logfile location
  • Use the provided URL to submit your logs by tapping ENTER.
    Please enter the URL parameter for submitting logs
  • Enter the log upload IP address, this is may be automatically configured for you, so you only need to change this if you know the Device IP address does not match the external IP address of the device.
    Please enter the log upload IP address
         (optional, and only needed if this system's public IP
         is different than that configured in the corresponding
         device on the ThreatSTOP portal)
         []<Device IP>
  • The value for the DNS PORT setting (0 - 65535) will depend on your being set as a DNS server:
    • If your configuration is set as a DNS server, accept the default of 53.
    • If your configuration is not set as a DNS server the default will fail and you will need to change the port. For a standard configuration this should be set to: 5353
      Please enter the DNS PORT setting (0 - 65535)
  • This controls how often fresh Threat Intelligence is piped into your firewall. It’s safe to leave this at 2 hours by tapping ENTER.
    Please enter how often to update the device with ThreatSTOP addresses (5m, 15m, 30m, 1h, 2h, 4h)
  • Unless you specifically need the logs uploaded at a rate different than normal accept the default of every hour by tapping ENTER.
    Please enter how often to upload the log files (5m, 15m, 30m, 1h, 2h, 4h)
  • Accept these settings by entering Y (or accepting the default) at the Use these settings prompt.
    Use these settings : (Y/N) [Y] ?
  • Information about the actions performed, and the results of connections tests will be displayed. After which a confirmation to enable the new Allow and Block list will be displayed. Tap ENTER to continue.
    Ready to run get Allow/Block list for the first time
    Proceed (Y/N) [Y] :
  • Finally you will be prompted with Ready to run get Allow/Block list for the first time. Accept the default of Y and the scripts will pull the latest information for your policy.

From here you’ll be able to use this device as a firewall in your network.

Testing the Configuration

You can verify that your policy has been loaded into iptables by running the following command:

sudo iptables -L

This will list all of the rules currently employed by IP Tables. After setting this you can verify the firewall’s behavior by visiting the following URIs from a device behind the firewall:

  • – This should appear which will verify that you are able to connect.
  • – Your connection to this should time out.

Removing ThreatSTOP

To stop and remove ThreatSTOP from your firewall device:

  • Use the following command to remove ThreatSTOP and leave the configuration files:
    sudo dpkg -r ts-iptables

    Use the following command to remove ThreatSTOP and the configuration files:

    sudo dpkg -P ts-iptables