Blocking Iptables Ranges
I know i could filter iptables' ranges using netmasks.
But they are a pain in the ass to use when all the damn you want is just to filter something like 126.96.36.199-188.8.131.52 .
Does exists someone who knows if there's a way (an iptables' module perhaps) which allows me to specify ip ranges like that above?
Any idea really welcome.
There is a kernel patch from patch-o-matic at www.netfilter.org that allows ranges to be specified just by ip numbers...
But that involves patching a kernel source and rebuilding the kernel...
SURE I AM!!
try something like this
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.$IPS -d 0/0 -p tcp --dport 3128 -j ACCEPT
the only thing with this is that it will run the command however many times the range is..
eg if the rang is 100-200 it will run the command 100 times..
hope this helps :)
It's the simplest idea and surely is going to fit for known, small and limited ranges.
But unfortunately that's not my case.
I should have to filter out a whole bunch of ipranges coming out from an external file, which would have to be costantly updated (not by me, perhaps) and which has a format i can't change.
At this moment the external file counts over 2K (2000) ranges to be filtered out.
Each one of them may count a big round ass of single host's ip.
Just the first one counts 65K hosts to be filtered.
And as i said we are talking of thousands. Only occasionaly, for single ipranges by time to time, netmasks or your method could be a real choiche.
In fact choosing such a way would bring me to flood iptables with i-don't-even-wanna-know rules to take care of.
So i damn need somthing different.
However thanks for the advise.
Always welcome :)
perhaps would just be easier to write the rules to allow ip ranges you do want?
I just remember something, but I'm not sure where I read it:
if you have A LOT of hosts to filer from (either allow or deny or whatever) you might consider using some sort of hash-table.
If you put 60000 filter lines underneath eachother it'll take a LONG time to check all those rules.
Using hash tables it doesn't: eg:
iptables -A INPUT -s 10.0.1.0/24 -J 1001
iptables -A INPUT -s 10.0.2.0/24 -J 1002
iptables -A 1001 -s 10.0.1.1 -J DROP
iptables -A 1001 -s 10.0.1.2 -J DROP
iptables -A 1001 -s 10.0.1.3 -J DROP
that way the amount of rules to check is reduced drasticaly, but the filtering is not.
|All times are GMT -5. The time now is 03:45 PM.|