Blocking Iptables Ranges
I know i could filter iptables' ranges using netmasks.
But they are a pain in the ass to use when all the damn you want is just to filter something like 1.2.3.5-1.2.5.255 . Does exists someone who knows if there's a way (an iptables' module perhaps) which allows me to specify ip ranges like that above? Any idea really welcome. |
There is a kernel patch from patch-o-matic at www.netfilter.org that allows ranges to be specified just by ip numbers...
But that involves patching a kernel source and rebuilding the kernel... Interested? |
SURE I AM!!
thanks |
try something like this
for ((IPS=11;IPS<=249;IPS++)) do $IPTABLES -A INPUT -i $INSIDE -s 192.168.1.$IPS -d 0/0 -p tcp --dport 3128 -j ACCEPT done the only thing with this is that it will run the command however many times the range is.. eg if the rang is 100-200 it will run the command 100 times.. hope this helps :) Chris www.chrisliveonline.com/security/ |
It's the simplest idea and surely is going to fit for known, small and limited ranges.
But unfortunately that's not my case. I should have to filter out a whole bunch of ipranges coming out from an external file, which would have to be costantly updated (not by me, perhaps) and which has a format i can't change. At this moment the external file counts over 2K (2000) ranges to be filtered out. Each one of them may count a big round ass of single host's ip. Just the first one counts 65K hosts to be filtered. And as i said we are talking of thousands. Only occasionaly, for single ipranges by time to time, netmasks or your method could be a real choiche. In fact choosing such a way would bring me to flood iptables with i-don't-even-wanna-know rules to take care of. So i damn need somthing different. However thanks for the advise. Always welcome :) |
perhaps would just be easier to write the rules to allow ip ranges you do want?
|
I just remember something, but I'm not sure where I read it:
if you have A LOT of hosts to filer from (either allow or deny or whatever) you might consider using some sort of hash-table. If you put 60000 filter lines underneath eachother it'll take a LONG time to check all those rules. Using hash tables it doesn't: eg: iptables -A INPUT -s 10.0.1.0/24 -J 1001 iptables -A INPUT -s 10.0.2.0/24 -J 1002 ... iptables -A 1001 -s 10.0.1.1 -J DROP iptables -A 1001 -s 10.0.1.2 -J DROP iptables -A 1001 -s 10.0.1.3 -J DROP ... that way the amount of rules to check is reduced drasticaly, but the filtering is not. |
All times are GMT -5. The time now is 10:14 PM. |