Blocking a range of source IPs to a specific port
jamesharrison at blackicehosting.com
Tue Aug 2 00:05:20 CEST 2005
R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Of course you are correct, I should have waited till I had time after
> work to offer assistance here. But the backend advise of using one of
> the online IP calculators would be a good starting point for finding
> the correctparams to pass to iptable.
> Thanks for the correction.
> Ron DuFresne
> On Mon, 1 Aug 2005, /dev/rob0 wrote:
>> R. DuFresne wrote:
>>>> I'm trying to use iptables to block a range of source IP addresses,
>>>> but I can't figure out how to specify ranges- i'm trying to block
>>>> everything from 172.150-250.*.* on port 8676- can someone help me
>>>> out with the rule for this?
>>> For part of the address space 184.108.40.206 - 220.127.116.11 you can
>>> block on 18.104.22.168/10. To get the full range, you might use one
>>> of the online IP calculators to figger in the who shebang.
>> Unfortunately 22.214.171.124/10 includes some which is not of the space
>> the OP listed. 126.96.36.199/9 could be used; that is 188.8.131.52
>> through 184.108.40.206. The rule could be preceded by some -j RETURN
>> rules with some creative use of user-defined chains.
>> iptables -N No8676
>> iptables -A No8676 -s 220.127.116.11/12 -j RETURN
>> iptables -A No8676 -s 18.104.22.168/14 -j RETURN
>> iptables -A No8676 -s 22.214.171.124/15 -j RETURN
>> iptables -A No8676 -s 126.96.36.199/16 -j RETURN
>> iptables -A No8676 -s 188.8.131.52/14 -j RETURN
>> iptables -A No8676 -s 184.108.40.206/9 -j DROP
>> Then, you jump to No8676 for -p $PROTO --dport 8676 from INPUT and/or
>> FORWARD as may be required for what is wanted.
>> As an alternative he could list each netblock positively:
>> iptables -A No8676 -s 220.127.116.11/15 -j DROP
>> iptables -A No8676 -s 18.104.22.168/13 -j DROP
>> iptables -A No8676 -s 22.214.171.124/11 -j DROP
>> iptables -A No8676 -s 126.96.36.199/11 -j DROP
>> iptables -A No8676 -s 188.8.131.52/12 -j DROP
>> iptables -A No8676 -s 184.108.40.206/13 -j DROP
>> iptables -A No8676 -s 220.127.116.11/15 -j DROP
>> iptables -A No8676 -s 18.104.22.168/16 -j DROP
>> That requires more rules.
>> General understanding of TCP/IP and CIDR notation is useful in a case
>> like this. I would refer the OP to one of the online calculators to
>> which Ron referred: http://www.cotse.com/networkcalculator.html .
>> Useful hint to those who might be planning out a network: keep your
>> hosts in CIDR-addressable netblocks. It's much more convenient for
>> purposes of firewalling and routing.
> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior security consultant: sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
> ...We waste time looking for the perfect lover
> instead of creating the perfect love.
> -Tom Robbins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> -----END PGP SIGNATURE-----
Well, thanks to both of you for the information- I think i'm getting the
hang of it... :)
However i'm still completely confused on the whole 0/9 issue- what does
I should be able to work it out using that information, but i'd like to
understand it completely for future knowledge :-)
More information about the netfilter