Blocking a range of source IPs to a specific port

/dev/rob0 rob0 at gmx.co.uk
Mon Aug 1 23:33:45 CEST 2005


R. DuFresne wrote:
>> I'm trying to use iptables to block a range of source IP addresses, 
>> but I can't figure out how to specify ranges- i'm trying to block 
>> everything from 172.150-250.*.* on port 8676- can someone help me out 
>> with the rule for this?
> 
> For part of the address space 172.128.0.0 - 172.191.255.255 you can 
> block on 172.128.0.0/10.  To get the full range, you might use one of 
> the online IP calculators to figger in the who shebang.

Unfortunately 172.128.0.0/10 includes some which is not of the space the 
OP listed. 172.128.0.0/9 could be used; that is 172.128.0.0 through 
172.255.255.255. The rule could be preceded by some -j RETURN rules with 
some creative use of user-defined chains.

iptables -N No8676
iptables -A No8676 -s 172.128.0.0/12 -j RETURN
iptables -A No8676 -s 172.144.0.0/14 -j RETURN
iptables -A No8676 -s 172.148.0.0/15 -j RETURN
iptables -A No8676 -s 172.251.0.0/16 -j RETURN
iptables -A No8676 -s 172.252.0.0/14 -j RETURN
iptables -A No8676 -s 172.128.0.0/9 -j DROP

Then, you jump to No8676 for -p $PROTO --dport 8676 from INPUT and/or 
FORWARD as may be required for what is wanted.

As an alternative he could list each netblock positively:

iptables -A No8676 -s 172.150.0.0/15 -j DROP
iptables -A No8676 -s 172.152.0.0/13 -j DROP
iptables -A No8676 -s 172.160.0.0/11 -j DROP
iptables -A No8676 -s 172.192.0.0/11 -j DROP
iptables -A No8676 -s 172.224.0.0/12 -j DROP
iptables -A No8676 -s 172.240.0.0/13 -j DROP
iptables -A No8676 -s 172.248.0.0/15 -j DROP
iptables -A No8676 -s 172.250.0.0/16 -j DROP

That requires more rules.

General understanding of TCP/IP and CIDR notation is useful in a case 
like this. I would refer the OP to one of the online calculators to 
which Ron referred: http://www.cotse.com/networkcalculator.html .

Useful hint to those who might be planning out a network: keep your 
hosts in CIDR-addressable netblocks. It's much more convenient for 
purposes of firewalling and routing.
-- 
     mail to this address is discarded unless "/dev/rob0"
     or "not-spam" is in Subject: header



More information about the netfilter mailing list