Blocking a range of source IPs to a specific port

James Harrison jamesharrison at blackicehosting.com
Tue Aug 2 00:05:20 CEST 2005


R. DuFresne wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Rob,
>
> Of course you are correct, I should have waited till I had time after 
> work to offer assistance here.  But the backend advise of using one of 
> the online IP calculators would be a good starting point for finding 
> the correctparams to pass to iptable.
>
> Thanks for the correction.
>
> Ron DuFresne
>
> On Mon, 1 Aug 2005, /dev/rob0 wrote:
>
>> R. DuFresne wrote:
>>
>>>> I'm trying to use iptables to block a range of source IP addresses, 
>>>> but I can't figure out how to specify ranges- i'm trying to block 
>>>> everything from 172.150-250.*.* on port 8676- can someone help me 
>>>> out with the rule for this?
>>>
>>>
>>> For part of the address space 172.128.0.0 - 172.191.255.255 you can 
>>> block on 172.128.0.0/10.  To get the full range, you might use one 
>>> of the online IP calculators to figger in the who shebang.
>>
>>
>> Unfortunately 172.128.0.0/10 includes some which is not of the space 
>> the OP listed. 172.128.0.0/9 could be used; that is 172.128.0.0 
>> through 172.255.255.255. The rule could be preceded by some -j RETURN 
>> rules with some creative use of user-defined chains.
>>
>> iptables -N No8676
>> iptables -A No8676 -s 172.128.0.0/12 -j RETURN
>> iptables -A No8676 -s 172.144.0.0/14 -j RETURN
>> iptables -A No8676 -s 172.148.0.0/15 -j RETURN
>> iptables -A No8676 -s 172.251.0.0/16 -j RETURN
>> iptables -A No8676 -s 172.252.0.0/14 -j RETURN
>> iptables -A No8676 -s 172.128.0.0/9 -j DROP
>>
>> Then, you jump to No8676 for -p $PROTO --dport 8676 from INPUT and/or 
>> FORWARD as may be required for what is wanted.
>>
>> As an alternative he could list each netblock positively:
>>
>> iptables -A No8676 -s 172.150.0.0/15 -j DROP
>> iptables -A No8676 -s 172.152.0.0/13 -j DROP
>> iptables -A No8676 -s 172.160.0.0/11 -j DROP
>> iptables -A No8676 -s 172.192.0.0/11 -j DROP
>> iptables -A No8676 -s 172.224.0.0/12 -j DROP
>> iptables -A No8676 -s 172.240.0.0/13 -j DROP
>> iptables -A No8676 -s 172.248.0.0/15 -j DROP
>> iptables -A No8676 -s 172.250.0.0/16 -j DROP
>>
>> That requires more rules.
>>
>> General understanding of TCP/IP and CIDR notation is useful in a case 
>> like this. I would refer the OP to one of the online calculators to 
>> which Ron referred: http://www.cotse.com/networkcalculator.html .
>>
>> Useful hint to those who might be planning out a network: keep your 
>> hosts in CIDR-addressable netblocks. It's much more convenient for 
>> purposes of firewalling and routing.
>>
>
> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629
>
> ...We waste time looking for the perfect lover
> instead of creating the perfect love.
>
>                 -Tom Robbins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFC7pwast+vzJSwZikRAgUBAJ9uSprzhuSSR7JmD3aPylqSNTk2mgCfc14/
> cPT4NJheluJF/CAIZFOv19s=
> =soQH
> -----END PGP SIGNATURE-----
>
Well, thanks to both of you for the information- I think i'm getting the 
hang of it... :)

However i'm still completely confused on the whole 0/9 issue- what does 
this specify?

I should be able to work it out using that information, but i'd like to 
understand it completely for future knowledge :-)



More information about the netfilter mailing list