Re: Blocking Ip address ranges

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> I'm thinking of setting up a rule in Iptables to point to a
> file which I can easily add the IP addresses that I need
> to block. Is this possible and what would be the syntax?

If you really want to set up something so you can block a large number
of IP addresses and you have the patience to keep up, yes you could
set up some simple scripts to help you automate the iptables config.

Note though that you'll probably want to structure iptables with several
chains to help reduce the inefficiency caused by a large number of
rules.  For example, you might want a separate chain for each of the
possible 256 first-octets.  This should get you started and give you some
ideas (it can be improved upon too).

iptables -N web_block_1
iptables -N web_block_2
...
iptables -N web_block_255

Then create a chain just to dispatch these (so non-web traffic
doesn't have to go through all these rule checks),

iptables -N web_block

Then link it into your input chain too,

iptables -I INPUT -i eth0 -m tcp -p tcp --dport 80 -j web_block
iptables -I INPUT -i eth0 -m tcp -p tcp --dport 443 -j web_block

Finally in your web_block chain dispatch for each octect,

iptables -A web_block -s 1.0.0.0/8 -j web_block_1
iptables -A web_block -s 2.0.0.0/8 -j web_block_2
...
iptables -A web_block -s 255.0.0.0/8 -j web_block_255



Then you'd add specific IP addresses (or netblocks), as

  iptables -A block_192 -s 192.168.1.1 -j REJECT


Also if your script updates, be sure to also run iptables_save
so your entries survive reboot.


Keep in mind though that iptables blocking is the *harsh*
way to do this.  Less drastic would be to 1. ignore the logs,
2. reduce the logging level, 3. look at Apache's Deny
directive.
-- 
Deron Meranda


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux