Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: How do I block an IP range ?

  1. #11
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,506
    Distro
    Ubuntu Development Release

    Re: How do I block an IP range ?

    Actually, I don't think the resulting iptables rules are correct for blocking a range.
    I usually use a base IP address and a mask, i.e. 192.168.0.0/16.
    When I saw what you were doing, I just assumed the syntax was correct for a range, but after testing something similar on my test computer, now I think the syntax is incorrect for a range. For a simple test, I ended up with these commands:
    Code:
    sudo iptables -F OUTPUT
    sudo iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    sudo iptables -A OUTPUT -s 0.0.0.0/0 -m iprange --dst-range 192.168.111.100-192.168.111.200 -j LOG --log-prefix "ODROP:" --log-level info
    sudo iptables -A OUTPUT -s 0.0.0.0/0 -m iprange --dst-range 192.168.111.100-192.168.111.200 -j DROP
    sudo iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG --log-prefix "OCATCH:" --log-level info
    And this result:
    Code:
    Chain OUTPUT (policy ACCEPT 4 packets, 974 bytes)
        pkts      bytes target     prot opt in     out     source               destination
         105    32380 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
           2      120 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            destination IP range 192.168.111.100-192.168.111.200 LOG flags 0 level 6 prefix "ODROP:"
           2      120 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            destination IP range 192.168.111.100-192.168.111.200
           4      974 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "OCATCH:"

  2. #12
    Join Date
    Jun 2012
    Beans
    310

    Re: How do I block an IP range ?

    That explains why my rules are added in UFW but don't actually work,they are probably misinterpreted as valid addresses whilst they actually aren't.

  3. #13
    Join Date
    Jun 2012
    Beans
    310

    Re: How do I block an IP range ?

    After some more trying,I can definitely tell that even rules added to UFW in the form of IP address + mask,like say 157.56.0.0/14,do not prevent connections from this domain from being established when using Skype:it's still unclear to me if IP blocking done via UFW is as effective as using iptables and if programs are still under certain circumstances allowed to eventually bypass these rules.

  4. #14
    Join Date
    Jun 2012
    Beans
    310

    Re: How do I block an IP range ?

    Well after some more experimenting with UFW,I've probably understood how to achieve that "blanket blocking" discussed here http://ubuntuforums.org/showpost.php...78&postcount=7 ,as I've actually managed,as proof of concept,to entirely prevent some sites from loading by using the simple syntax ufw deny to [address] (this one in form of IP address and a mask,like say 151.75.0.0/16),and the opposite ufw deny out to [address] .
    This almost always work,except in some cases,where I cannot figure out why some of the usual suspects (read:connections to microsoft servers) won't be blocked when using Skype even when specifying the supposedly correct syntax.
    Could it be that UFW does have some built-in limitations/overrides and that only iptables can really 100% control what's going on ?

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •