\_ SMTP quoth technomage on 8/22/2002 09:01 as having spake thusly:
\_
\_ ok, I got most of the basics down.
\_ when i want to deny an ip or all of an ip block (last numbers only) I can do:
\_ iptables -A INPUT -s xxx.yyy.zzz.0/24 -j DROP
\_ and it takes care of the entire ip block.
\_ 
\_ However, I want to block entire ranges hwere I have XX.YY.0.0 between 
\_ xx.yy.0.0 and xx.yy.255.255. whats the netmask notation for this?

The /24 means mask 24 bits worth.  So, in a 32 bit address broken into
4 parts, each 'quad' is 8 bits.  3 * 8 = 24 hence x.y.z.0/24 blocks
the entire x.y.z block.  /16 just does the first two quads, and so on.

\_ also, whats the notation if I want to block a partial range on the last 
\_ digets (llike xxx.yyy.zzz.aaa-bbb where aaa= low end and bbb= high end)?

It depends.  Iptables *might* take a range of ips.  YMMV.  

\_ some thinsg are just not explained in the iptables howto
\_ 
\_ here are the addresses I really wish to block:
\_ 
\_ 65.218.172.208-223
\_ 63.99.64.64-127
\_ 65.192.*
\_ 65.118.41.192-223
\_ 63.148.99.224-255
\_ 63.64.*
\_ 209.244.*

See also tcp_wrappers and /etc/hosts.allow /etc/hosts.deny.

If you're careful you can also say things like /27 and stuff, but
that's counting bits and is left as an exercise for the reader.  :-)

You could just block entire /24 nets and not worry about it rather
than doing math.  But that's just me taking the lazy, sorry your IP
sucks method.  :-)

See also the NET4-HOWTO or some such, I think it covers netmasks
better than the three sentences above.

David