LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables and IP range ban on a specific adapter (https://www.linuxquestions.org/questions/linux-networking-3/iptables-and-ip-range-ban-on-a-specific-adapter-754923/)

alpha_hack 09-13-2009 06:19 PM
iptables and IP range ban on a specific adapter
 
Hey everybody,

I'm trying to make a ban script with iptables but I'm not having much luck right now.
What exactly I'm trying to do is to ban a range of IPs on an adapter.
Let's say I want to drop all connections from 192.168.1.10 to 192.168.1.20. How should I do that ?
I thought that
Code:
local="eth0"
IPTABLES="/usr/sbin/iptables"
ports="21:79"
source="192.168.1.10-192.168.1.20"

$IPTABLES -I INPUT -p tcp -i $local --dport $ports -m iprange --src-range $source -j DROP
would do the trick but apparently I have mistaken. If I remove the "--src-range" from the above code it works fine but it just isn't working with --src-range.

Could you enlighten me what's the correct command ?

Thanks in advance,
alpha_hack

salasi 09-14-2009 03:27 PM
from 'man iptables'

Quote:
PARAMETERS
The following parameters make up a rule specification (as used in the add, delete, insert, replace and append commands)....


[!] -s, --source address[/mask]
Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote
query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a
plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!"
argument before the address specification inverts the sense of the address. The flag --src is an alias for this option.
I don't see any sign of the syntax ' source="192.168.1.10-192.168.1.20"', which is what you are effectively trying to use. Maybe a look at the tutorial at frozentux http://iptables-tutorial.frozentux.net/ will answer that question definitively.

alpha_hack 09-14-2009 04:46 PM
Quote:
Originally Posted by salasi (Post 3682653)
from 'man iptables'



I don't see any sign of the syntax ' source="192.168.1.10-192.168.1.20"', which is what you are effectively trying to use. Maybe a look at the tutorial at frozentux http://iptables-tutorial.frozentux.net/ will answer that question definitively.
If you look at " man iptables " you'd see "--src-range". When you use that option you can define on hand from which IPs to which is the range. If you use only -s you'd be using a mask behind.
As in the example of man - 192.168.1.0/24 would be equal to 192.168.1.1-192.168.1.255.

salasi 09-15-2009 04:03 AM
Quote:
Originally Posted by alpha_hack (Post 3682729)
I
...As in the example of man - 192.168.1.0/24 would be equal to 192.168.1.1-192.168.1.255.
But you are not using 192.168.1.0/24, which is a syntax that is mentioned in that section of the man page that I quoted earlier; you are using 192.168.1.10-192.168.1.20, which isn't mentioned.

Now you may well think that 192.168.1.10-192.168.1.20 ought to work and just be an alias for the /24 form, but the evidence seems to be that it isn't recognised.

alpha_hack 09-16-2009 11:00 AM
Quote:
Originally Posted by salasi (Post 3683324)
But you are not using 192.168.1.0/24, which is a syntax that is mentioned in that section of the man page that I quoted earlier; you are using 192.168.1.10-192.168.1.20, which isn't mentioned.

Now you may well think that 192.168.1.10-192.168.1.20 ought to work and just be an alias for the /24 form, but the evidence seems to be that it isn't recognised.
192.168.1.10-192.168.1.20 wouldn't work as an alias to /24. /24 is according to CIDR notation.
I think I didn't made myself clear in my previous post. I was just trying to make comparison between /24 and --src-range so you'd get better what I'm trying to do.

I want to be able to drop only certain IP range. Therefor I should be using "--src-range" which is used for IP address range -> "192.168.1.10-192.168.1.20".
But my problem comes from the network adapter. I want to be able to ban that range on a certain network adapter.

If you try this code:
Code:
IPTABLES="/usr/sbin/iptables"
dport="21:79"
source="192.168.1.10-192.168.1.20"
$IPTABLES -I INPUT -p tcp --dport $ports -m iprange --src-range $source -j DROP
It'll ban that IP address range on all interfaces. And it works just fine I've been using it for about an year. But now I need to extend the code so it fits my needs again.
Maybe this is not the right approach but I just can't think of anything else that would do the same thing. If I use the CIDR notation I'd be banning a subnet of 254 / 252 / 248 / 240 / 224 / 192 / 128 or 256 hosts. Depending on that you'd enter /24, /25 or etc. I don't need to ban a subnet. I need to ban a range of IPs on a network adapter.

Does anybody know how to do that ?

alpha_hack 09-16-2009 06:54 PM
Thanks for the help.
I've managed to get what I needed.
If you are trying to do something like me this is the way you should go:

Code:
IPTABLES='/usr/sbin/iptables'
source='192.168.11.10-192.168.11.20'
ports='21-80'
local='eth0'

$IPTABLES -t filter -I INPUT -p tcp -i $local -m iprange --src-range $source --destination-port $ports -j DROP
$IPTABLES -t filter -I INPUT -p udp -i $local -m iprange --src-range $source --destination-port $ports -j DROP
iptables -t filter -nvL
Code:
Chain INPUT (policy DROP 3 packets, 217 bytes)
 pkts bytes target    prot opt in    out    source              destination
    0    0 DROP      udp  --  eth0  *      0.0.0.0/0            0.0.0.0/0          source IP range 192.168.11.10-192.168.11.20 udp dpts:21:80
    5  272 DROP      tcp  --  eth0  *      0.0.0.0/0            0.0.0.0/0          source IP range 192.168.11.10-192.168.11.20 tcp dpts:21:80
Works fine for me.
Hopefully I helped you. :P


More info at http://iptables-tutorial.frozentux.n...-tutorial.html :)


All times are GMT -5. The time now is 11:19 PM.