LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-03-2004, 03:56 PM   #1
SuperSadSmile
Member
 
Registered: Sep 2002
Location: Italy
Distribution: MDK9
Posts: 45

Rep: Reputation: 15
Blocking Iptables Ranges


I know i could filter iptables' ranges using netmasks.
But they are a pain in the ass to use when all the damn you want is just to filter something like 1.2.3.5-1.2.5.255 .

Does exists someone who knows if there's a way (an iptables' module perhaps) which allows me to specify ip ranges like that above?

Any idea really welcome.
 
Old 02-04-2004, 02:48 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
There is a kernel patch from patch-o-matic at www.netfilter.org that allows ranges to be specified just by ip numbers...

But that involves patching a kernel source and rebuilding the kernel...
Interested?
 
Old 02-05-2004, 10:35 AM   #3
SuperSadSmile
Member
 
Registered: Sep 2002
Location: Italy
Distribution: MDK9
Posts: 45

Original Poster
Rep: Reputation: 15
SURE I AM!!

thanks
 
Old 02-06-2004, 02:20 AM   #4
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
try something like this

for ((IPS=11;IPS<=249;IPS++))
do
$IPTABLES -A INPUT -i $INSIDE -s 192.168.1.$IPS -d 0/0 -p tcp --dport 3128 -j ACCEPT
done

the only thing with this is that it will run the command however many times the range is..

eg if the rang is 100-200 it will run the command 100 times..

hope this helps

Chris
www.chrisliveonline.com/security/
 
Old 02-06-2004, 05:28 AM   #5
SuperSadSmile
Member
 
Registered: Sep 2002
Location: Italy
Distribution: MDK9
Posts: 45

Original Poster
Rep: Reputation: 15
It's the simplest idea and surely is going to fit for known, small and limited ranges.
But unfortunately that's not my case.

I should have to filter out a whole bunch of ipranges coming out from an external file, which would have to be costantly updated (not by me, perhaps) and which has a format i can't change.

At this moment the external file counts over 2K (2000) ranges to be filtered out.
Each one of them may count a big round ass of single host's ip.
Just the first one counts 65K hosts to be filtered.
And as i said we are talking of thousands. Only occasionaly, for single ipranges by time to time, netmasks or your method could be a real choiche.
In fact choosing such a way would bring me to flood iptables with i-don't-even-wanna-know rules to take care of.
So i damn need somthing different.


However thanks for the advise.
Always welcome

Last edited by SuperSadSmile; 02-06-2004 at 05:38 AM.
 
Old 02-08-2004, 07:01 PM   #6
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
perhaps would just be easier to write the rules to allow ip ranges you do want?
 
Old 02-09-2004, 02:57 AM   #7
nielchiano
Member
 
Registered: Feb 2004
Location: 50N 3E
Distribution: Gentoo
Posts: 64

Rep: Reputation: 15
I just remember something, but I'm not sure where I read it:

if you have A LOT of hosts to filer from (either allow or deny or whatever) you might consider using some sort of hash-table.
If you put 60000 filter lines underneath eachother it'll take a LONG time to check all those rules.
Using hash tables it doesn't: eg:

iptables -A INPUT -s 10.0.1.0/24 -J 1001
iptables -A INPUT -s 10.0.2.0/24 -J 1002
...

iptables -A 1001 -s 10.0.1.1 -J DROP
iptables -A 1001 -s 10.0.1.2 -J DROP
iptables -A 1001 -s 10.0.1.3 -J DROP
...

that way the amount of rules to check is reduced drasticaly, but the filtering is not.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
blocking an IP using iptables picox Linux - Security 7 12-10-2010 02:00 PM
Forwarding port ranges using iptables --to ? ivj Linux - Networking 13 10-13-2004 03:05 AM
Blocking IP Address ranges in dhcpd.conf pmcdaid Linux - Networking 4 06-09-2004 09:18 AM
blocking MSN using iptables? systemgsr Linux - Networking 16 09-04-2003 11:59 AM
Blocking Kazaa with Iptables, Anyone? markng Linux - Security 6 06-27-2003 06:35 PM


All times are GMT -5. The time now is 03:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration