Find the answer to your Linux question:
Results 1 to 8 of 8
Good morning, I have a website and was wondering how do I block a range of IPs using iptables. For example, wanted to block all IPs that begin with 200. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2012
    Posts
    3

    iptables help


    Good morning, I have a website and was wondering how do I block a range of IPs using iptables.

    For example, wanted to block all IPs that begin with 200. * Unable to access the site.

    Sorry for bad english and thanks in advance.

  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    888
    Hello!
    This is not too difficult at all.
    First, goto www dot arin.net. Next, in the upper right hand corner of the page, type in the IP you want blocked. For instance, 200.0.0.0 . On the resulting page, it will provide the "CIDR" 200.0.0.0/8
    Now, in your terminal, type the following
    iptables -A INPUT -s 200.0.0.0/8 -j DROP
    That will drop all incoming traffic from that IP range.
    I suggest using the whois lookup on arin.net because some IP ranges are not /8, and I'm not sure how iptables would respond.

    Also, keep in mind, if you're running Debian, these settings won't be saved after reboot. I'm not sure how other distros behave by default. I want to say RHEL/Cent/SL will save your settings by default, but those are typically deny-all type settings by default, so I'm guessing that's not the case for you.
    If you're running a desktop distro, such as ubuntu or fedora, there are a few good gui utils out there if you prefer. A little bit easier to administer f

  3. #3
    Just Joined!
    Join Date
    Apr 2012
    Posts
    3
    thank you very much, but I need to block several ranges of ips, and accept only 189 ips. * and 187 *.

    has some iptables rule that blocks all ips from the internet and accept only those ips starting with 189 and 187?

  4. #4
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    888
    Hello,

    That's no problem at all. First, you want to make sure you set your rules for things that are allowed.
    iptables -A INPUT -s 189.0.0.0/8 -j ACCEPT
    iptables -A INPUT -s 187.0.0.0/8 -j ACCEPT


    That will allow all inbound connections from any IPs in the range 189.0.0.0-189.255.255.255 and same for 187. This is typically not the most appropriate scenario, as you should only have open what you need, such as ssh, etc. Google can tell you more info on which specific ports you need for which services.

    You should also do:
    iptables -A OUTPUT -d <youriphere> -j ACCEPT

    Now, you're allowing inbound and outbound traffic for your ips ranges explicitly. Now, to lock down iptables, and only allow what you explicitly approve:
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP

    The above command will change your default policy to DROP for all connections, unless you have a rule explicitly allowing them. There is a 3rd category "FORWARD" (INPUT,OUTPUT,FORWARD), but I'm not sure what the appropriate settings are for that one.

    If you make a mistake, and need to start over, use
    iptables -F
    That will clear all of your rules.
    If this is a remote system, it's imperative you set the rules to allow connection before you run the 'iptables -P INPUT DROP' or you'll be locked out. I suggest after you run each command:
    iptables -L
    and make sure your entries are there, and something funny didn't happen.

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by mizzle View Post
    Now, in your terminal, type the following
    iptables -A INPUT -s 200.0.0.0/8 -j DROP
    While the idea is correct the rule is not the one you want to be using. -A add the rule to the bottom of the chain thus all rules above will be matched first. What your wanted to use is -I. This would insert the rule as the first in the chain and this is really where you want this type of rule as you want to drop all traffic from these ip addresses without them filtering through your other rules where the chance is they might match and be accepted. All rules are read from top to bottom in a chain.

    the rule should read;
    Code:
    iptables -I INPUT -s 200.0.0.0/8 -j DROP
    I suggest using the whois lookup on arin.net because some IP ranges are not /8, and I'm not sure how iptables would respond.
    This is a range and IPTABLES looks at it as a range. IPTABLES doesn't care about Net/host just the range. Thus you could place 192.0.0.0/8 in and every ip address that starts with 192 would match.

    Also, keep in mind, if you're running Debian, these settings won't be saved after reboot. I'm not sure how other distros behave by default. I want to say RHEL/Cent/SL will save your settings by default, but those are typically deny-all type settings by default, so I'm guessing that's not the case for you.
    And that is wrong unless you are using some sort of GUI to manage your rules which normally does save the rules as it applies them.. If you are managing a server remotely and you are doing things this way and you just happen to lock yourself out how to you fix the problem? A reboot will reload the same rules that locked you out to begin with. As with any remote managed system you should be using the CLI that way if you happen to add a rule that locks you out all that is needed is a reboot so the old rules are loaded and you once again have access. Once you know the rules to be working properly then you can manully save them.

    If you're running a desktop distro, such as ubuntu or fedora, there are a few good gui utils out there if you prefer. A little bit easier to administer f
    Nothing beats CLI. This is my opinion, if you want to admin a linux server learn the CLI. GUI takes up to much resources that could be better used else where.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #6
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    888
    Quote Originally Posted by Lazydog View Post
    While the idea is correct the rule is not the one you want to be using. -A add the rule to the bottom of the chain thus all rules above will be matched first. What your wanted to use is -I. This would insert the rule as the first in the chain and this is really where you want this type of rule as you want to drop all traffic from these ip addresses without them filtering through your other rules where the chance is they might match and be accepted. All rules are read from top to bottom in a chain.

    the rule should read;
    Code:
    iptables -I INPUT -s 200.0.0.0/8 -j DROP


    This is a range and IPTABLES looks at it as a range. IPTABLES doesn't care about Net/host just the range. Thus you could place 192.0.0.0/8 in and every ip address that starts with 192 would match.



    And that is wrong unless you are using some sort of GUI to manage your rules which normally does save the rules as it applies them.. If you are managing a server remotely and you are doing things this way and you just happen to lock yourself out how to you fix the problem? A reboot will reload the same rules that locked you out to begin with. As with any remote managed system you should be using the CLI that way if you happen to add a rule that locks you out all that is needed is a reboot so the old rules are loaded and you once again have access. Once you know the rules to be working properly then you can manully save them.



    Nothing beats CLI. This is my opinion, if you want to admin a linux server learn the CLI. GUI takes up to much resources that could be better used else where.
    I agree with the first part about rules being in order. Thanks for the tip.

    As for /8, as I said, I wasn't sure of the behavior.

    And as far as Debian goes, you are flat wrong. I highly suggest you try what you're saying.

  7. #7
    Just Joined!
    Join Date
    Apr 2012
    Posts
    3
    thanks alot all, my problem is solved ... thankssssssssssss!

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by mizzle View Post
    And as far as Debian goes, you are flat wrong. I highly suggest you try what you're saying.
    I don't use Debian myself, but I am curious about what you are saying here.

    So If I type in

    iptables -A INPUT -i eth0 --dport 22 -j DROP

    That this will automatically be added to my saved rules?

    If this is what you are saying then I can only tell you that you are not using IPTABLES but a debain version of iptables as iptables does not save anything to a file without being told to do so first. I am talking about the CLI not some GUI.

    Secondly I would suggest if your using a program that automatically saved your rules, that you stop. This could only cause you issues down the road if you happen to unforeseen create a rule that locks you out of the system not even a reboot will save you.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •