Actually, I don't think the resulting iptables rules are correct for blocking a range.
I usually use a base IP address and a mask, i.e. 192.168.0.0/16.
When I saw what you were doing, I just assumed the syntax was correct for a range, but after testing something similar on my test computer, now I think the syntax is incorrect for a range. For a simple test, I ended up with these commands:
Code:
sudo iptables -F OUTPUT
sudo iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -s 0.0.0.0/0 -m iprange --dst-range 192.168.111.100-192.168.111.200 -j LOG --log-prefix "ODROP:" --log-level info
sudo iptables -A OUTPUT -s 0.0.0.0/0 -m iprange --dst-range 192.168.111.100-192.168.111.200 -j DROP
sudo iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG --log-prefix "OCATCH:" --log-level info
And this result:
Code:
Chain OUTPUT (policy ACCEPT 4 packets, 974 bytes)
    pkts      bytes target     prot opt in     out     source               destination
     105    32380 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
       2      120 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            destination IP range 192.168.111.100-192.168.111.200 LOG flags 0 level 6 prefix "ODROP:"
       2      120 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            destination IP range 192.168.111.100-192.168.111.200
       4      974 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "OCATCH:"