LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Blocking Iptables Ranges (http://www.linuxquestions.org/questions/linux-security-4/blocking-iptables-ranges-141925/)

SuperSadSmile 02-03-2004 03:56 PM

Blocking Iptables Ranges
 
I know i could filter iptables' ranges using netmasks.
But they are a pain in the ass to use when all the damn you want is just to filter something like 1.2.3.5-1.2.5.255 .

Does exists someone who knows if there's a way (an iptables' module perhaps) which allows me to specify ip ranges like that above?

Any idea really welcome.

peter_robb 02-04-2004 02:48 PM

There is a kernel patch from patch-o-matic at www.netfilter.org that allows ranges to be specified just by ip numbers...

But that involves patching a kernel source and rebuilding the kernel...
Interested?

SuperSadSmile 02-05-2004 10:35 AM

SURE I AM!!

thanks

chrisfirestar 02-06-2004 02:20 AM

try something like this

for ((IPS=11;IPS<=249;IPS++))
do
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.$IPS -d 0/0 -p tcp --dport 3128 -j ACCEPT
done

the only thing with this is that it will run the command however many times the range is..

eg if the rang is 100-200 it will run the command 100 times..

hope this helps :)

Chris
www.chrisliveonline.com/security/

SuperSadSmile 02-06-2004 05:28 AM

It's the simplest idea and surely is going to fit for known, small and limited ranges.
But unfortunately that's not my case.

I should have to filter out a whole bunch of ipranges coming out from an external file, which would have to be costantly updated (not by me, perhaps) and which has a format i can't change.

At this moment the external file counts over 2K (2000) ranges to be filtered out.
Each one of them may count a big round ass of single host's ip.
Just the first one counts 65K hosts to be filtered.
And as i said we are talking of thousands. Only occasionaly, for single ipranges by time to time, netmasks or your method could be a real choiche.
In fact choosing such a way would bring me to flood iptables with i-don't-even-wanna-know rules to take care of.
So i damn need somthing different.


However thanks for the advise.
Always welcome :)

chrisfirestar 02-08-2004 07:01 PM

perhaps would just be easier to write the rules to allow ip ranges you do want?

nielchiano 02-09-2004 02:57 AM

I just remember something, but I'm not sure where I read it:

if you have A LOT of hosts to filer from (either allow or deny or whatever) you might consider using some sort of hash-table.
If you put 60000 filter lines underneath eachother it'll take a LONG time to check all those rules.
Using hash tables it doesn't: eg:

iptables -A INPUT -s 10.0.1.0/24 -J 1001
iptables -A INPUT -s 10.0.2.0/24 -J 1002
...

iptables -A 1001 -s 10.0.1.1 -J DROP
iptables -A 1001 -s 10.0.1.2 -J DROP
iptables -A 1001 -s 10.0.1.3 -J DROP
...

that way the amount of rules to check is reduced drasticaly, but the filtering is not.


All times are GMT -5. The time now is 10:44 AM.