Understanding CIDR notation for iptables
I live in university dorms on a campus and connect through the university network to the internet. My IP address is assigned by DHCP.
My personal web server is located at a remote location, and I use Putty SSH to connect to it frequently. What I'd really like is to make a rule in iptables that allows ssh connection attempts only from my computer; however, since my IP address changes often, I will just make a rule that allows attempts from any possible campus address. That at least limits potential bogus connection attempts to several thousand people instead of several billion. Now, I am a bit confused about how to do this. From what I can tell, my IP address always begins with 137 or 138. I'd have to pay closer attention for a while to see which other numbers remain fixed in my address. So for now I have settled with the range 137.0.0.1 to 138.255.255.255. That probably covers a lot more than just my campus here, but it's okay for now. I have used an entry such as: Quote:
Quote:
Quote:
Quote:
So I have two questions: Would there be any difference in the performance of the latter rule over the former? What would be the correct CIDR notation for that IP range? I'd even be willing to learn how to do it myself (heaven forbid) so that I can modify it by myself in the future, but I have found several online tutorials to be a bit vague. |
i wouldn't use iptables myself, but tcpwrappers: http://closedsrc.org/_static/dn-arti...sts_allow.html
much simpler. you'd do well to properly utilize the other parts of ssh though... use a private key instead of a password to authentiate, then it doesn't matter who connects from wherever, if they don't haev your key, they'll never get in... also as a note in your iptables code, it's the destination port that is 22, not the source port. and the correct CIDR would be /8: 12345678.xxxxxxxx.xxxxxxxx.xxxxxxxx |
Quote:
For example, suppose I want to know the correct notation for the network of 137.123.123.123/8. Then I would do a bitwise and like so: Code:
137.123.123.123 = 10001001.01111011.01111011.01111011 As for performance, it is obviously easier for a computer to match a range in CIDR notation than an arbitrary range. However, when your CIDR notation range is unnecessarily twice as large, it is a trade off. |
ipcalc can be your friend while you are learning subnetting and CIDR notation..
Code:
debianetch:~$ ipcalc 137.0.0.1/8 |
Quote:
|
Quote:
|
All times are GMT -5. The time now is 07:22 AM. |