need some small help with iptables
David A. Sinck
plug-discuss@lists.plug.phoenix.az.us
Thu, 22 Aug 2002 09:23:22 -0700
\_ SMTP quoth technomage on 8/22/2002 09:01 as having spake thusly:
\_
\_ ok, I got most of the basics down.
\_ when i want to deny an ip or all of an ip block (last numbers only) I can do:
\_ iptables -A INPUT -s xxx.yyy.zzz.0/24 -j DROP
\_ and it takes care of the entire ip block.
\_
\_ However, I want to block entire ranges hwere I have XX.YY.0.0 between
\_ xx.yy.0.0 and xx.yy.255.255. whats the netmask notation for this?
The /24 means mask 24 bits worth. So, in a 32 bit address broken into
4 parts, each 'quad' is 8 bits. 3 * 8 = 24 hence x.y.z.0/24 blocks
the entire x.y.z block. /16 just does the first two quads, and so on.
\_ also, whats the notation if I want to block a partial range on the last
\_ digets (llike xxx.yyy.zzz.aaa-bbb where aaa= low end and bbb= high end)?
It depends. Iptables *might* take a range of ips. YMMV.
\_ some thinsg are just not explained in the iptables howto
\_
\_ here are the addresses I really wish to block:
\_
\_ 65.218.172.208-223
\_ 63.99.64.64-127
\_ 65.192.*
\_ 65.118.41.192-223
\_ 63.148.99.224-255
\_ 63.64.*
\_ 209.244.*
See also tcp_wrappers and /etc/hosts.allow /etc/hosts.deny.
If you're careful you can also say things like /27 and stuff, but
that's counting bits and is left as an exercise for the reader. :-)
You could just block entire /24 nets and not worry about it rather
than doing math. But that's just me taking the lazy, sorry your IP
sucks method. :-)
See also the NET4-HOWTO or some such, I think it covers netmasks
better than the three sentences above.
David