What's the best way to block these IP's?
netfilter at cjseng.com
Sat Jun 18 20:02:31 CEST 2005
Thanks fo the reply... I noticed the error of the "/32" CIDR right after I
Brain fart on my part.
I just wanted to know if
184.108.40.206 without the" /*" would work. (blocking the whole 220.127.116.11
From: "/dev/rob0" <rob0 at gmx.co.uk>
To: <netfilter at lists.netfilter.org>
Sent: Saturday, June 18, 2005 12:46 PM
Subject: Re: What's the best way to block these IP's?
> On Saturday 18 June 2005 11:46, Netfilter wrote:
>> What's the best way to block these IP's?
> I'm not sure what your question is. I see a few main possibilities
> about which you might be asking. I'll address those.
>> -A INPUT -p tcp -s 18.104.22.168/32 -i eth1 -j DROP
>> -A INPUT -p tcp -s 22.214.171.124 -i eth1 -j DROP
> Maybe you don't understand CIDR notation, and thus don't know what
> these do. A /32 netmask means "this IP only" in English. 32 bits of
> netmask is 255.255.255.255. Both forms are the same!
> If you want to block all IP's starting with 213 or 218, those won't do
> it. You would need to use /8 or smaller. 126.96.36.199/8 is 188.8.131.52
> through 184.108.40.206; 220.127.116.11/7 is 18.104.22.168 through
> 22.214.171.124. Rusty's Networking Concepts HOWTO might help.
> Generally the best strategy for firewalling is to choose what to allow
> and let everything else hit a DROP or REJECT policy or rule. Here the
> Packet Filtering HOWTO has examples which might help. Note as well that
> all your examples are only limiting TCP traffic, and only if coming in
> your eth1 interface.
> Furthermore there are common misunderstandings concerning the role of
> INPUT as opposed to FORWARD. If you're wanting to block traffic from or
> to NAT users, your INPUT rules will not do it. Again this is explained
> in the Packet Filtering HOWTO.
> When I have common rules I want called from both INPUT and FORWARD, I
> use a new chain ...
> # iptables -N Common
> # iptables -vA Common -s 126.96.36.199/7 -j DROP
> [ ... other rules as wanted ... ]
> # iptables -vA INPUT -j Common
> # iptables -vA FORWARD -j Common
> You can of course limit the type of traffic sent to the chain with
> matches on the calling rule.
> HTH, and if not you, HTH someone else.
> mail to this address is discarded unless "/dev/rob0"
> or "not-spam" is in Subject: header
More information about the netfilter