Blocking a range of source IPs to a specific port

R. DuFresne dufresne at sysinfo.com
Tue Aug 2 00:03:02 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Rob,

Of course you are correct, I should have waited till I had time after work 
to offer assistance here.  But the backend advise of using one of the 
online IP calculators would be a good starting point for finding the 
correctparams to pass to iptable.

Thanks for the correction.

Ron DuFresne

On Mon, 1 Aug 2005, /dev/rob0 wrote:

> R. DuFresne wrote:
>>> I'm trying to use iptables to block a range of source IP addresses, but 
>>> I can't figure out how to specify ranges- i'm trying to block everything 
>>> from 172.150-250.*.* on port 8676- can someone help me out with the rule 
>>> for this?
>> 
>> For part of the address space 172.128.0.0 - 172.191.255.255 you can block 
>> on 172.128.0.0/10.  To get the full range, you might use one of the online 
>> IP calculators to figger in the who shebang.
>
> Unfortunately 172.128.0.0/10 includes some which is not of the space the OP 
> listed. 172.128.0.0/9 could be used; that is 172.128.0.0 through 
> 172.255.255.255. The rule could be preceded by some -j RETURN rules with some 
> creative use of user-defined chains.
>
> iptables -N No8676
> iptables -A No8676 -s 172.128.0.0/12 -j RETURN
> iptables -A No8676 -s 172.144.0.0/14 -j RETURN
> iptables -A No8676 -s 172.148.0.0/15 -j RETURN
> iptables -A No8676 -s 172.251.0.0/16 -j RETURN
> iptables -A No8676 -s 172.252.0.0/14 -j RETURN
> iptables -A No8676 -s 172.128.0.0/9 -j DROP
>
> Then, you jump to No8676 for -p $PROTO --dport 8676 from INPUT and/or FORWARD 
> as may be required for what is wanted.
>
> As an alternative he could list each netblock positively:
>
> iptables -A No8676 -s 172.150.0.0/15 -j DROP
> iptables -A No8676 -s 172.152.0.0/13 -j DROP
> iptables -A No8676 -s 172.160.0.0/11 -j DROP
> iptables -A No8676 -s 172.192.0.0/11 -j DROP
> iptables -A No8676 -s 172.224.0.0/12 -j DROP
> iptables -A No8676 -s 172.240.0.0/13 -j DROP
> iptables -A No8676 -s 172.248.0.0/15 -j DROP
> iptables -A No8676 -s 172.250.0.0/16 -j DROP
>
> That requires more rules.
>
> General understanding of TCP/IP and CIDR notation is useful in a case like 
> this. I would refer the OP to one of the online calculators to which Ron 
> referred: http://www.cotse.com/networkcalculator.html .
>
> Useful hint to those who might be planning out a network: keep your hosts in 
> CIDR-addressable netblocks. It's much more convenient for purposes of 
> firewalling and routing.
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC7pwast+vzJSwZikRAgUBAJ9uSprzhuSSR7JmD3aPylqSNTk2mgCfc14/
cPT4NJheluJF/CAIZFOv19s=
=soQH
-----END PGP SIGNATURE-----



More information about the netfilter mailing list