LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-30-2009, 03:48 PM   #1
kaplan71
Member
 
Registered: Nov 2003
Posts: 716

Rep: Reputation: 39
Blocking an ip address range within iptables


Hi there --

I am setting up a iptables firewall on one of our servers, and I would like to block a range of addresses from getting into the system. I am using a script that does a BLACKIN and BLACKOUT methodology for specific addresses. One example is the following:



Code:
$IPTABLES -A BLACKIN -s 202.109.114.147 -j DROP
...
$IPTABLES -A BLACKOUT -d 202.109.114.117 -j DROP
What would be the correct syntax to use if I wanted to block an entire remote subnet from getting into the server? Thanks.
 
Old 03-30-2009, 04:30 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Good news -- iptables supports netmasks. From man iptables(8):
Quote:
-s, --source [!] address[/mask]

Source specification. Address can be either a network name, a
hostname (please note that specifying any name to be resolved
with a remote query such as DNS is a really bad idea), a network
IP address (with /mask), or a plain IP address. The mask can be
either a network mask or a plain number, specifying the number
of 1’s at the left side of the network mask. Thus, a mask of 24
is equivalent to 255.255.255.0. A "!" argument before the
address specification inverts the sense of the address. The flag
--src is an alias for this option.
 
Old 03-31-2009, 12:41 AM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Also, if you literally want to use ranges (instead of subnets), you can do like:
Code:
$IPTABLES -A BLACKIN -m iprange --src-range 202.109.114.117-202.109.114.147 -j DROP
 
Old 03-31-2009, 01:33 PM   #4
kaplan71
Member
 
Registered: Nov 2003
Posts: 716

Original Poster
Rep: Reputation: 39
Hi there --

Thanks for your reply. I went ahead with the iprange option using the following syntax:

Code:
$IPTABLES -A BLACKIN -m iprange --src-range xxx.xxx.xxx.0-xxx.xxx.xxx.255 -j DROP
...
$IPTABLES -A BLACKOUT -m iprange --dst-range xxx.xxx.xxx.0-xxx.xxx.xxx.255 -j DROP
I ran the script with no apparent error messages. The output of the iptables -vnL command in regards to the above example showed the following:

Quote:
Chain BLACKIN (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range xxx.xxx.xxx.0-xxx.xxx.xxx.255

Chain BLACKOUT (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range xxx.xxx.xxx.0-xxx.xxx.xxx.255
Unless I am mistaken, is that the correct output? Thanks.
 
Old 03-31-2009, 02:55 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Looks good to me.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking IP range hohohann Linux - Newbie 9 01-16-2008 11:43 PM
iptables help please with blocking range of IPs lleb Linux - Software 7 02-26-2007 10:09 AM
Blocking IP Range basketkase999 Linux - Security 2 03-12-2005 12:23 PM
blocking mac address using iptables Kendo1979 Linux - Networking 9 10-25-2004 04:09 AM
iptables - blocking a host by MAC address retiem Linux - Security 6 08-29-2003 11:58 AM


All times are GMT -5. The time now is 01:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration