|
block whole IP range with iptables
Is this the correct way to block the entire IP with iptables:
sbin/iptables -I INPUT -s 221.0.0.0/255.0.0.0 -j DROP For example, will this block, say, the ip address 221.23.56.132 or any ip address starting with 221? Thanks. |
This is how to block an entire subnet:
# iptables -A INPUT -s 192.168.100.0/24 -j DROP This is how to block a range of ip's within a subnet: # iptables -I INPUT -m iprange --src-range 192.168.1.10-192.168.1.13 -j DROP Or, if you do not want to do this manually, you can edit your /etc/sysconfig/iptables file. |
If you wanted to block the entire 221.0.0.0-221.255.255.255 range, then use either:
sbin/iptables -I INPUT -s 221.0.0.0/255.0.0.0 -j DROP sbin/iptables -I INPUT -s 221.0.0.0/8 -j DROP They do the same thing, you're just using CIDR notation instead of netmasks... Note that using /24 will just block 221.0.0.0-221.0.0.255 Quote:
|
My mistake, I meant to put in the /8 bit mask, not the /24 bit mask. I posted my response without re-reading it first.
And Capt Cavemean is right, you really shouldn't edit the /etc/sysconfig/iptables file, unless you really know what you are doing. I just mess around with it for fun... If you do decide to tinker, then make sure you make a backup of the file... Or any other system file you decide to mess with. Always good practice.... |
This is how to block a range of ip's within a subnet:
# iptables -I INPUT -m iprange --src-range 192.168.1.10-192.168.1.13 -j DROP i have tried this but my box sez Bad argument '192.168.1.10-192.168.1.13' |
I know that this question was asked long ago, but I reply it because I catch the same error.
The problem is (or can be) that the module ipt_iprange is not loaded in the kernel, so, load it with modprobe or recompile your kernel with iprange (in the netfilter section). regards |
neioo, please don't resurrect dead threads. Closed.
|
| All times are GMT -5. The time now is 12:32 AM. |