These forums are read-only!
How to block a range of IP addresses in iptables?
  • Please, What is the instruction to get iptables to block a range of ipaddresses, that is: 211.94.0.0 - 211.103.255.255 ?

    I guess that "iptables -A INPUT --source 211.95.79.186/32 -j DROP" would block the single address <211.95.79.186> (which is a persistent intruder), but I don't know the precise syntax for blocking the entire range of addresses from <211.94.0.0> to <211.103.255.255>

    My slice runs Ubuntu Hardy
  • This might do what you want

    It generates ip tables rules for blocking off countries. Outputs rules like this:

    /sbin/iptables -A INPUT -p tcp -s 217.173.0.0/20  -j all
    /sbin/iptables -A INPUT -p tcp -s 217.173.16.0/20  -j all
    /sbin/iptables -A INPUT -p tcp -s 217.173.64.0/20  -j all
    /sbin/iptables -A INPUT -p tcp -s 217.174.0.0/20  -j all
    /sbin/iptables -A INPUT -p tcp -s 217.174.96.0/20  -j all
    /sbin/iptables -A INPUT -p tcp -s 217.174.160.0/20  -j all
    

    Wikipedia has a good explanation of how the subnet syntax works.

  • Thanks! However, I'm not ready to block out whole countries — just a couple of networks. (Reminds me of THE GODFATHER II — “I don't want to kill everyone — only my enemies.”)

    That Wikipedia article is over my head — long on principle, short on application. I read it; but I still cannot figure out how to construct a line in my iptables which would block 211.94.0.0 - 211.103.255.255 . Also, I cannot grasp how to infer the "/ØØ" suffix from the ØØ.ØØ.ØØ.ØØ portion of an ipaddress.

    Can someone help, please?
  • I thinkiptables -A INPUT -p tcp -m iprange --src-range 211.94.0.0-211.103.255.255 -j DROPshould do it.

    By the way, the suffix specifies how many bits of the IP address to pay attention to. So 211.95.79.186/32 matches only that specific IP address, but 211.95.79.186/24 matches only the first 24 bits, namely 211.95.79. So if you specified a rule with 211.95.79.186/24, it would match 211.95.79.0 all the way up to 211.95.79.255.

    :) David
  • You're not going to be able to block that range with a single line.

    You'll going to have to block /16 subnets - one per line - so a total of 10 lines to cover that range.

    /16 subnets cover the X.Y.0.0 thru X.Y.255.255 range

    So block

    211.94.0.0/16
    211.95.0.0/16
    .
    .
    .
    .
    .
    .
    .
    211.103.0.0/16
  • So iprange works over a greater then /24 subnet?

    Wonder if one way or the other has a greater processing overhead.
  • Posted By: VonskippySo iprange works over a greater then /24 subnet?

    I actually don't know, I've never used it myself. But there's nothing in the man page to suggest that it wouldn't work for arbitrary ranges.

    :) David