Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to make a ban script with iptables but I'm not having much luck right now.
What exactly I'm trying to do is to ban a range of IPs on an adapter.
Let's say I want to drop all connections from 192.168.1.10 to 192.168.1.20. How should I do that ?
I thought that
would do the trick but apparently I have mistaken. If I remove the "--src-range" from the above code it works fine but it just isn't working with --src-range.
Could you enlighten me what's the correct command ?
PARAMETERS
The following parameters make up a rule specification (as used in the add, delete, insert, replace and append commands)....
[!] -s, --source address[/mask]
Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote
query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a
plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!"
argument before the address specification inverts the sense of the address. The flag --src is an alias for this option.
I don't see any sign of the syntax ' source="192.168.1.10-192.168.1.20"', which is what you are effectively trying to use. Maybe a look at the tutorial at frozentux http://iptables-tutorial.frozentux.net/ will answer that question definitively.
I don't see any sign of the syntax ' source="192.168.1.10-192.168.1.20"', which is what you are effectively trying to use. Maybe a look at the tutorial at frozentux http://iptables-tutorial.frozentux.net/ will answer that question definitively.
If you look at " man iptables " you'd see "--src-range". When you use that option you can define on hand from which IPs to which is the range. If you use only -s you'd be using a mask behind.
As in the example of man - 192.168.1.0/24 would be equal to 192.168.1.1-192.168.1.255.
I
...As in the example of man - 192.168.1.0/24 would be equal to 192.168.1.1-192.168.1.255.
But you are not using 192.168.1.0/24, which is a syntax that is mentioned in that section of the man page that I quoted earlier; you are using 192.168.1.10-192.168.1.20, which isn't mentioned.
Now you may well think that 192.168.1.10-192.168.1.20 ought to work and just be an alias for the /24 form, but the evidence seems to be that it isn't recognised.
But you are not using 192.168.1.0/24, which is a syntax that is mentioned in that section of the man page that I quoted earlier; you are using 192.168.1.10-192.168.1.20, which isn't mentioned.
Now you may well think that 192.168.1.10-192.168.1.20 ought to work and just be an alias for the /24 form, but the evidence seems to be that it isn't recognised.
192.168.1.10-192.168.1.20 wouldn't work as an alias to /24. /24 is according to CIDR notation.
I think I didn't made myself clear in my previous post. I was just trying to make comparison between /24 and --src-range so you'd get better what I'm trying to do.
I want to be able to drop only certain IP range. Therefor I should be using "--src-range" which is used for IP address range -> "192.168.1.10-192.168.1.20".
But my problem comes from the network adapter. I want to be able to ban that range on a certain network adapter.
It'll ban that IP address range on all interfaces. And it works just fine I've been using it for about an year. But now I need to extend the code so it fits my needs again.
Maybe this is not the right approach but I just can't think of anything else that would do the same thing. If I use the CIDR notation I'd be banning a subnet of 254 / 252 / 248 / 240 / 224 / 192 / 128 or 256 hosts. Depending on that you'd enter /24, /25 or etc. I don't need to ban a subnet. I need to ban a range of IPs on a network adapter.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.