LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 07-31-2006, 01:10 PM   #1
jonfa
Member
 
Registered: Mar 2001
Location: FL
Posts: 257

Rep: Reputation: 30
block whole IP range with iptables


Is this the correct way to block the entire IP with iptables:

sbin/iptables -I INPUT -s 221.0.0.0/255.0.0.0 -j DROP

For example, will this block, say, the ip address 221.23.56.132 or any ip address starting with 221?

Thanks.
 
Old 07-31-2006, 01:35 PM   #2
stlouis
Member
 
Registered: Jul 2006
Location: Sault Ste. Marie, Ontario
Distribution: RedHat, CentOS, Fedora Core, Gentoo, Slackware
Posts: 63

Rep: Reputation: 15
This is how to block an entire subnet:

# iptables -A INPUT -s 192.168.100.0/24 -j DROP


This is how to block a range of ip's within a subnet:

# iptables -I INPUT -m iprange --src-range 192.168.1.10-192.168.1.13 -j DROP


Or, if you do not want to do this manually, you can edit your /etc/sysconfig/iptables file.
 
Old 07-31-2006, 09:12 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
If you wanted to block the entire 221.0.0.0-221.255.255.255 range, then use either:

sbin/iptables -I INPUT -s 221.0.0.0/255.0.0.0 -j DROP
sbin/iptables -I INPUT -s 221.0.0.0/8 -j DROP

They do the same thing, you're just using CIDR notation instead of netmasks...

Note that using /24 will just block 221.0.0.0-221.0.0.255

Quote:
if you do not want to do this manually, you can edit your /etc/sysconfig/iptables file.
You should never directly edit that file. It's very sensitive to syntax, including things that you can't see (like CRLF characters) which can be very difficult to diagnose. Use iptables-save (or "service iptables save" on RH-ish systems) instead.
 
Old 08-01-2006, 07:28 AM   #4
stlouis
Member
 
Registered: Jul 2006
Location: Sault Ste. Marie, Ontario
Distribution: RedHat, CentOS, Fedora Core, Gentoo, Slackware
Posts: 63

Rep: Reputation: 15
My mistake, I meant to put in the /8 bit mask, not the /24 bit mask. I posted my response without re-reading it first.

And Capt Cavemean is right, you really shouldn't edit the /etc/sysconfig/iptables file, unless you really know what you are doing. I just mess around with it for fun... If you do decide to tinker, then make sure you make a backup of the file... Or any other system file you decide to mess with. Always good practice....
 
Old 08-13-2006, 05:11 AM   #5
Vasili
LQ Newbie
 
Registered: Feb 2006
Location: At Home
Distribution: RHEL 4 AS
Posts: 23

Rep: Reputation: 15
Question

This is how to block a range of ip's within a subnet:

# iptables -I INPUT -m iprange --src-range 192.168.1.10-192.168.1.13 -j DROP

i have tried this but my box sez

Bad argument '192.168.1.10-192.168.1.13'
 
Old 11-19-2008, 07:13 AM   #6
neioo
LQ Newbie
 
Registered: Jan 2008
Location: Sant Quinti de Mediona
Distribution: Gentoo
Posts: 24

Rep: Reputation: 2
I know that this question was asked long ago, but I reply it because I catch the same error.

The problem is (or can be) that the module ipt_iprange is not loaded in the kernel, so, load it with modprobe or recompile your kernel with iprange (in the netfilter section).

regards
 
Old 11-19-2008, 07:37 AM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
neioo, please don't resurrect dead threads. Closed.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 06:58 PM
iptables allowing a range adm1329 Linux - Networking 2 02-01-2005 01:04 PM
ip range in iptables masterlloyd Linux - Security 1 01-11-2005 02:00 AM
specifying a range of IP in IPTABLES jomy Linux - Security 1 12-23-2004 07:30 AM
how to block an entire IP range? enzo250gto Linux - Networking 2 05-01-2004 08:59 AM


All times are GMT -5. The time now is 11:15 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration