Blocking a range of source IPs to a specific port

Grant Taylor gtaylor at riverviewtech.net
Tue Aug 2 05:05:49 CEST 2005


James Harrison wrote:

> Hi,
>
> I'm trying to use iptables to block a range of source IP addresses, 
> but I can't figure out how to specify ranges- i'm trying to block 
> everything from 172.150-250.*.* on port 8676- can someone help me out 
> with the rule for this?
>
> Thanks,
> James Harrison
>
James, you might want to look in to the IPRange match extension for 
IPTables. I think you would be able to do something quite literally like 
this:

iptabels -t filter -A INPUT -p tcp --dport 8676 -m iprange --src-range 
172.150.0.0-172.250.255.255 -j DROP

I was able to successfully key the above line in to my firewall at the 
house (test chain) with out any problems so I think the syntax is 
correct.  However I have never used iprange in production to say what I 
think of it.  Give it a try and see what you think.

One suggestion is that you may want to send the traffic to a different 
sub chain to be able to log the traffic before you DROP it.  Just a thought.



Grant. . . .



More information about the netfilter mailing list