Blocking Ip address ranges

Robert Slade fedora at bathnetworks.com
Tue Jan 25 21:29:48 UTC 2005 

Thanks to you and the others who replied (especially Deron), you have
given me something to think about here.

Rob

On Tue, 2005-01-25 at 18:29, Banjo Mailing List wrote:
> Or use portsentry. if you need any help how to do it tell me
> 
> 
> On Tue, 25 Jan 2005 12:56:15 -0500, Deron Meranda
> <deron.meranda at gmail.com> wrote:
> > > I'm thinking of setting up a rule in Iptables to point to a
> > > file which I can easily add the IP addresses that I need
> > > to block. Is this possible and what would be the syntax?
> > 
> > If you really want to set up something so you can block a large number
> > of IP addresses and you have the patience to keep up, yes you could
> > set up some simple scripts to help you automate the iptables config.
> > 
> > Note though that you'll probably want to structure iptables with several
> > chains to help reduce the inefficiency caused by a large number of
> > rules.  For example, you might want a separate chain for each of the
> > possible 256 first-octets.  This should get you started and give you some
> > ideas (it can be improved upon too).
> > 
> > iptables -N web_block_1
> > iptables -N web_block_2
> > ...
> > iptables -N web_block_255
> > 
> > Then create a chain just to dispatch these (so non-web traffic
> > doesn't have to go through all these rule checks),
> > 
> > iptables -N web_block
> > 
> > Then link it into your input chain too,
> > 
> > iptables -I INPUT -i eth0 -m tcp -p tcp --dport 80 -j web_block
> > iptables -I INPUT -i eth0 -m tcp -p tcp --dport 443 -j web_block
> > 
> > Finally in your web_block chain dispatch for each octect,
> > 
> > iptables -A web_block -s 1.0.0.0/8 -j web_block_1
> > iptables -A web_block -s 2.0.0.0/8 -j web_block_2
> > ...
> > iptables -A web_block -s 255.0.0.0/8 -j web_block_255
> > 
> > Then you'd add specific IP addresses (or netblocks), as
> > 
> >   iptables -A block_192 -s 192.168.1.1 -j REJECT
> > 
> > Also if your script updates, be sure to also run iptables_save
> > so your entries survive reboot.
> > 
> > Keep in mind though that iptables blocking is the *harsh*
> > way to do this.  Less drastic would be to 1. ignore the logs,
> > 2. reduce the logging level, 3. look at Apache's Deny
> > directive.
> > --
> > Deron Meranda
> > 
> > --
> > fedora-list mailing list
> > fedora-list at redhat.com
> > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> >

More information about the users mailing list