Actually, I don't think the resulting iptables rules are correct for blocking a range.
I usually use a base IP address and a mask, i.e. 192.168.0.0/16.
When I saw what you were doing, I just assumed the syntax was correct for a range, but after testing something similar on my test computer, now I think the syntax is incorrect for a range. For a simple test, I ended up with these commands:
Code:
sudo iptables -F OUTPUT
sudo iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -s 0.0.0.0/0 -m iprange --dst-range 192.168.111.100-192.168.111.200 -j LOG --log-prefix "ODROP:" --log-level info
sudo iptables -A OUTPUT -s 0.0.0.0/0 -m iprange --dst-range 192.168.111.100-192.168.111.200 -j DROP
sudo iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG --log-prefix "OCATCH:" --log-level info
And this result:
Code:
Chain OUTPUT (policy ACCEPT 4 packets, 974 bytes)
pkts bytes target prot opt in out source destination
105 32380 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.111.100-192.168.111.200 LOG flags 0 level 6 prefix "ODROP:"
2 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 destination IP range 192.168.111.100-192.168.111.200
4 974 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "OCATCH:"
Bookmarks