Blocking Ip address ranges

Banjo Mailing List banjo.mailing.list at gmail.com
Tue Jan 25 18:29:07 UTC 2005 

Or use portsentry. if you need any help how to do it tell me


On Tue, 25 Jan 2005 12:56:15 -0500, Deron Meranda
<deron.meranda at gmail.com> wrote:
> > I'm thinking of setting up a rule in Iptables to point to a
> > file which I can easily add the IP addresses that I need
> > to block. Is this possible and what would be the syntax?
> 
> If you really want to set up something so you can block a large number
> of IP addresses and you have the patience to keep up, yes you could
> set up some simple scripts to help you automate the iptables config.
> 
> Note though that you'll probably want to structure iptables with several
> chains to help reduce the inefficiency caused by a large number of
> rules.  For example, you might want a separate chain for each of the
> possible 256 first-octets.  This should get you started and give you some
> ideas (it can be improved upon too).
> 
> iptables -N web_block_1
> iptables -N web_block_2
> ...
> iptables -N web_block_255
> 
> Then create a chain just to dispatch these (so non-web traffic
> doesn't have to go through all these rule checks),
> 
> iptables -N web_block
> 
> Then link it into your input chain too,
> 
> iptables -I INPUT -i eth0 -m tcp -p tcp --dport 80 -j web_block
> iptables -I INPUT -i eth0 -m tcp -p tcp --dport 443 -j web_block
> 
> Finally in your web_block chain dispatch for each octect,
> 
> iptables -A web_block -s 1.0.0.0/8 -j web_block_1
> iptables -A web_block -s 2.0.0.0/8 -j web_block_2
> ...
> iptables -A web_block -s 255.0.0.0/8 -j web_block_255
> 
> Then you'd add specific IP addresses (or netblocks), as
> 
>   iptables -A block_192 -s 192.168.1.1 -j REJECT
> 
> Also if your script updates, be sure to also run iptables_save
> so your entries survive reboot.
> 
> Keep in mind though that iptables blocking is the *harsh*
> way to do this.  Less drastic would be to 1. ignore the logs,
> 2. reduce the logging level, 3. look at Apache's Deny
> directive.
> --
> Deron Meranda
> 
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>

More information about the fedora-list mailing list