Ban a Range of IPs in iptables

userlander · 11-13-2008, 10:18 AM

I would like to ban this range of IPs from china:

222.208.0.0 - 222.215.255.255

what is the best way to do that in iptables? I only know how to block individual IPs, but obviously that would take hours if I had to do it one by one! Is there a way to block them all at once?

This is on ipcop, so if there is a better way to do it with some add-on, I wouldn't mind hearing about that, too. I have Banish installed, but again you have to banish by individual IPs (as far as I know).

AuroraCA · 11-13-2008, 10:50 AM

For web access you can insert deny from in the Apache configuration:

Code:

deny from 222.208
deny from 222.209
deny from 222.210
deny from 222.211
deny from 222.212
deny from 222.213
deny from 222.214
deny from 222.215

colucix · 11-13-2008, 11:01 AM

Recent versions of iptables support the IP range using this syntax:

Code:

-m iprange --src-range 222.208.0.0-222.215.255.255

use --dst-range if you want to specify destination addresses.

anomie · 11-13-2008, 12:08 PM

Other options include using:

Netmask notation: 222.208.0.0/255.248.0.0; or
CIDR notation: 222.208.0.0/13

You can confirm the range yourself using a calculator: http://www.subnet-calculator.com/cidr.php

userlander · 11-13-2008, 01:07 PM

Lots of options, excellent thanks.

It turns out Banish can ban by CIDR notation. I don't really know CIDR yet, but I guess 222.208.0.0/24 would ban that entire range, from 0-255, while /23 would also ban the .1.x subnet up to 255. Now just to figure out if there's a way to specify the second grouping of numbers with CIDR.

#-------------->
Thanks anomie - I had my message loaded in quick reply and then got busy. I see you posted in the meantime. But that's exactly what I was wondering about, that calculator will definitely come in handy.