LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-13-2009, 06:19 PM   #1
alpha_hack
Member
 
Registered: Jul 2007
Location: Sofia, Bulgaria
Distribution: Slackware 13.1x86_64
Posts: 75

Rep: Reputation: 15
iptables and IP range ban on a specific adapter


Hey everybody,

I'm trying to make a ban script with iptables but I'm not having much luck right now.
What exactly I'm trying to do is to ban a range of IPs on an adapter.
Let's say I want to drop all connections from 192.168.1.10 to 192.168.1.20. How should I do that ?
I thought that
Code:
local="eth0"
IPTABLES="/usr/sbin/iptables"
ports="21:79"
source="192.168.1.10-192.168.1.20"

$IPTABLES -I INPUT -p tcp -i $local --dport $ports -m iprange --src-range $source -j DROP
would do the trick but apparently I have mistaken. If I remove the "--src-range" from the above code it works fine but it just isn't working with --src-range.

Could you enlighten me what's the correct command ?

Thanks in advance,
alpha_hack
 
Old 09-14-2009, 03:27 PM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
from 'man iptables'

Quote:
PARAMETERS
The following parameters make up a rule specification (as used in the add, delete, insert, replace and append commands)....


[!] -s, --source address[/mask]
Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote
query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a
plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!"
argument before the address specification inverts the sense of the address. The flag --src is an alias for this option.
I don't see any sign of the syntax ' source="192.168.1.10-192.168.1.20"', which is what you are effectively trying to use. Maybe a look at the tutorial at frozentux http://iptables-tutorial.frozentux.net/ will answer that question definitively.
 
Old 09-14-2009, 04:46 PM   #3
alpha_hack
Member
 
Registered: Jul 2007
Location: Sofia, Bulgaria
Distribution: Slackware 13.1x86_64
Posts: 75

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by salasi View Post
from 'man iptables'



I don't see any sign of the syntax ' source="192.168.1.10-192.168.1.20"', which is what you are effectively trying to use. Maybe a look at the tutorial at frozentux http://iptables-tutorial.frozentux.net/ will answer that question definitively.
If you look at " man iptables " you'd see "--src-range". When you use that option you can define on hand from which IPs to which is the range. If you use only -s you'd be using a mask behind.
As in the example of man - 192.168.1.0/24 would be equal to 192.168.1.1-192.168.1.255.
 
Old 09-15-2009, 04:03 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Quote:
Originally Posted by alpha_hack View Post
I
...As in the example of man - 192.168.1.0/24 would be equal to 192.168.1.1-192.168.1.255.
But you are not using 192.168.1.0/24, which is a syntax that is mentioned in that section of the man page that I quoted earlier; you are using 192.168.1.10-192.168.1.20, which isn't mentioned.

Now you may well think that 192.168.1.10-192.168.1.20 ought to work and just be an alias for the /24 form, but the evidence seems to be that it isn't recognised.
 
Old 09-16-2009, 11:00 AM   #5
alpha_hack
Member
 
Registered: Jul 2007
Location: Sofia, Bulgaria
Distribution: Slackware 13.1x86_64
Posts: 75

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by salasi View Post
But you are not using 192.168.1.0/24, which is a syntax that is mentioned in that section of the man page that I quoted earlier; you are using 192.168.1.10-192.168.1.20, which isn't mentioned.

Now you may well think that 192.168.1.10-192.168.1.20 ought to work and just be an alias for the /24 form, but the evidence seems to be that it isn't recognised.
192.168.1.10-192.168.1.20 wouldn't work as an alias to /24. /24 is according to CIDR notation.
I think I didn't made myself clear in my previous post. I was just trying to make comparison between /24 and --src-range so you'd get better what I'm trying to do.

I want to be able to drop only certain IP range. Therefor I should be using "--src-range" which is used for IP address range -> "192.168.1.10-192.168.1.20".
But my problem comes from the network adapter. I want to be able to ban that range on a certain network adapter.

If you try this code:
Code:
IPTABLES="/usr/sbin/iptables"
dport="21:79"
source="192.168.1.10-192.168.1.20"
$IPTABLES -I INPUT -p tcp --dport $ports -m iprange --src-range $source -j DROP
It'll ban that IP address range on all interfaces. And it works just fine I've been using it for about an year. But now I need to extend the code so it fits my needs again.
Maybe this is not the right approach but I just can't think of anything else that would do the same thing. If I use the CIDR notation I'd be banning a subnet of 254 / 252 / 248 / 240 / 224 / 192 / 128 or 256 hosts. Depending on that you'd enter /24, /25 or etc. I don't need to ban a subnet. I need to ban a range of IPs on a network adapter.

Does anybody know how to do that ?
 
Old 09-16-2009, 06:54 PM   #6
alpha_hack
Member
 
Registered: Jul 2007
Location: Sofia, Bulgaria
Distribution: Slackware 13.1x86_64
Posts: 75

Original Poster
Rep: Reputation: 15
Thanks for the help.
I've managed to get what I needed.
If you are trying to do something like me this is the way you should go:

Code:
IPTABLES='/usr/sbin/iptables'
source='192.168.11.10-192.168.11.20'
ports='21-80'
local='eth0'

$IPTABLES -t filter -I INPUT -p tcp -i $local -m iprange --src-range $source --destination-port $ports -j DROP
$IPTABLES -t filter -I INPUT -p udp -i $local -m iprange --src-range $source --destination-port $ports -j DROP
iptables -t filter -nvL
Code:
Chain INPUT (policy DROP 3 packets, 217 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           source IP range 192.168.11.10-192.168.11.20 udp dpts:21:80
    5   272 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           source IP range 192.168.11.10-192.168.11.20 tcp dpts:21:80
Works fine for me.
Hopefully I helped you. :P


More info at http://iptables-tutorial.frozentux.n...-tutorial.html

Last edited by alpha_hack; 10-05-2009 at 02:45 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ban a Range of IPs in iptables userlander Linux - Networking 4 11-13-2008 01:07 PM
ban external access to specific services with iptables? tbeehler Linux - Software 4 07-17-2008 04:38 PM
Iptables, ban IP, how? cylarz Linux - Security 3 04-22-2006 01:09 PM
how to define a specific range of IPs and/or multiple IPs in an iptables rule?... TheHellsMaster Linux - Security 9 09-20-2004 10:06 AM
Route add to ban IP range? astroboy5714 Linux - General 0 06-01-2004 03:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration