PDA

Click to See Complete Forum and Search --> : ipchains question

Red Hat
04-09-2001, 01:12 PM
Hello,

I would like to block an ip range from eg: 127.0.0.1 to 127.0.0.240 on port 80 tcp.

I am only able to do each one seperate like ipchains -A input -p tcp -s 127.0.0.1/24 80 -j DENY
and
ipchains -A input -p tcp -s 127.0.0.2/24 80 -j DENY
etc.....

Thanks...:-)
kernel.panic
04-09-2001, 01:49 PM
Well, while you didn't ask a question I will both attempt a guess at the question and a stab at the answer.

I assume you are looking for a quicker way to block the range than listing them in multiple lines.

ipchains -A input -p tcp -s 127.0.0.1/24 80 -j DENY

That line, alone block the whole range. Because the /24 specifies to match the first three sets of numbers in the ip and the last set is essentially overlooked.

ipchains -A input -p tcp -s 127.0.0.1/32 80 -j DENY

That line would restrict ONLY 127.0.0.1 because the mask is now 32-bit.

Hope that helps.
Red Hat
04-09-2001, 02:11 PM
I don't understand what the /24 does.
How could I have a blocked range of 127.0.0.1 to 127.255.255.255 for example?
ph34r
04-09-2001, 02:27 PM
Any time you see an address like

123.45.67.89/24

The number after the slash (/24 in this case) says "of the address shown, the first 24 bits are the network number" - so another way of representing it would be address 123.45.67.89 netmask 255.255.255.0

ipchains -A input -p tcp -s 127.0.0.1/8 80 -j DENY

would block 127.0.0.1 thru 127.255.255.255 since the /8 says the first 8 bits are network and the rest are host.
Red Hat
04-09-2001, 02:34 PM
Thanks for your help.
I found this site also: http://andrew2.andrew.cmu.edu/rfc/rfc1878.html
Craig McPherson
04-10-2001, 04:46 AM
Let's use 127.0.0.0 as an example.

127.0.0.0/8 means 127.*.*.*, which could be abbreviated as simply 127/8... most people don't know this, but cool people do.

127.0.0.0/16 means 127.0.*.*, which could be abbreviated as 127.0/16

127.0.0.0/24 means 127.0.0.*, abbreviated as 127.0.0/24.

If you want to match every IP in the world, you can do 0.0.0.0/0, or (more people should realize this) simply 0/0. In fact, the number before the "/0" isn't important, it's only the "/0" that matters -- it says "match anything that matches the first 0 bits of the given IP address", and of course, zero bits of anything matches zero bits of anything else, just like zero dogs are completely identical to zero cats.

Cool stuff.
Craig McPherson
04-10-2001, 04:47 AM
Let's use 127.0.0.0 as an example.

127.0.0.0/8 means 127.*.*.*, which could be abbreviated as simply 127/8... most people don't know this, but cool people do.

127.0.0.0/16 means 127.0.*.*, which could be abbreviated as 127.0/16

127.0.0.0/24 means 127.0.0.*, abbreviated as 127.0.0/24.

If you want to match every IP in the world, you can do 0.0.0.0/0, or (more people should realize this) simply 0/0. In fact, the number before the "/0" isn't important, it's only the "/0" that matters -- it says "match anything that matches the first 0 bits of the given IP address", and of course, zero bits of anything matches zero bits of anything else, just like zero dogs are completely identical to zero cats.

Cool stuff.