Blocking a range of source IPs to a specific port
dufresne at sysinfo.com
Tue Aug 2 00:03:02 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Of course you are correct, I should have waited till I had time after work
to offer assistance here. But the backend advise of using one of the
online IP calculators would be a good starting point for finding the
correctparams to pass to iptable.
Thanks for the correction.
On Mon, 1 Aug 2005, /dev/rob0 wrote:
> R. DuFresne wrote:
>>> I'm trying to use iptables to block a range of source IP addresses, but
>>> I can't figure out how to specify ranges- i'm trying to block everything
>>> from 172.150-250.*.* on port 8676- can someone help me out with the rule
>>> for this?
>> For part of the address space 18.104.22.168 - 22.214.171.124 you can block
>> on 126.96.36.199/10. To get the full range, you might use one of the online
>> IP calculators to figger in the who shebang.
> Unfortunately 188.8.131.52/10 includes some which is not of the space the OP
> listed. 184.108.40.206/9 could be used; that is 220.127.116.11 through
> 18.104.22.168. The rule could be preceded by some -j RETURN rules with some
> creative use of user-defined chains.
> iptables -N No8676
> iptables -A No8676 -s 22.214.171.124/12 -j RETURN
> iptables -A No8676 -s 126.96.36.199/14 -j RETURN
> iptables -A No8676 -s 188.8.131.52/15 -j RETURN
> iptables -A No8676 -s 184.108.40.206/16 -j RETURN
> iptables -A No8676 -s 220.127.116.11/14 -j RETURN
> iptables -A No8676 -s 18.104.22.168/9 -j DROP
> Then, you jump to No8676 for -p $PROTO --dport 8676 from INPUT and/or FORWARD
> as may be required for what is wanted.
> As an alternative he could list each netblock positively:
> iptables -A No8676 -s 22.214.171.124/15 -j DROP
> iptables -A No8676 -s 126.96.36.199/13 -j DROP
> iptables -A No8676 -s 188.8.131.52/11 -j DROP
> iptables -A No8676 -s 184.108.40.206/11 -j DROP
> iptables -A No8676 -s 220.127.116.11/12 -j DROP
> iptables -A No8676 -s 18.104.22.168/13 -j DROP
> iptables -A No8676 -s 22.214.171.124/15 -j DROP
> iptables -A No8676 -s 126.96.36.199/16 -j DROP
> That requires more rules.
> General understanding of TCP/IP and CIDR notation is useful in a case like
> this. I would refer the OP to one of the online calculators to which Ron
> referred: http://www.cotse.com/networkcalculator.html .
> Useful hint to those who might be planning out a network: keep your hosts in
> CIDR-addressable netblocks. It's much more convenient for purposes of
> firewalling and routing.
admin & senior security consultant: sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the netfilter