Blocking Ip address ranges
Deron Meranda
deron.meranda at gmail.com
Tue Jan 25 17:56:15 UTC 2005
> I'm thinking of setting up a rule in Iptables to point to a
> file which I can easily add the IP addresses that I need
> to block. Is this possible and what would be the syntax?
If you really want to set up something so you can block a large number
of IP addresses and you have the patience to keep up, yes you could
set up some simple scripts to help you automate the iptables config.
Note though that you'll probably want to structure iptables with several
chains to help reduce the inefficiency caused by a large number of
rules. For example, you might want a separate chain for each of the
possible 256 first-octets. This should get you started and give you some
ideas (it can be improved upon too).
iptables -N web_block_1
iptables -N web_block_2
...
iptables -N web_block_255
Then create a chain just to dispatch these (so non-web traffic
doesn't have to go through all these rule checks),
iptables -N web_block
Then link it into your input chain too,
iptables -I INPUT -i eth0 -m tcp -p tcp --dport 80 -j web_block
iptables -I INPUT -i eth0 -m tcp -p tcp --dport 443 -j web_block
Finally in your web_block chain dispatch for each octect,
iptables -A web_block -s 1.0.0.0/8 -j web_block_1
iptables -A web_block -s 2.0.0.0/8 -j web_block_2
...
iptables -A web_block -s 255.0.0.0/8 -j web_block_255
Then you'd add specific IP addresses (or netblocks), as
iptables -A block_192 -s 192.168.1.1 -j REJECT
Also if your script updates, be sure to also run iptables_save
so your entries survive reboot.
Keep in mind though that iptables blocking is the *harsh*
way to do this. Less drastic would be to 1. ignore the logs,
2. reduce the logging level, 3. look at Apache's Deny
directive.
--
Deron Meranda
More information about the users
mailing list