Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Block an IP

Posted on 2001-07-19
9
Medium Priority
?
1,354 Views
Last Modified: 2013-12-15

Hello,

Can any body tell me how to block an IP address or range of Addresses under IPChains. I tried several options to block the same. Also I am findiing it difficult to block range of Ports,

/sbin/ipchains -D input -s 192.168.0.129 -J DENY
0
Comment
Question by:vatsasri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 4

Expert Comment

by:MFCRich
ID: 6300741
/sbin/ipchains -D input -s 192.168.0.129 -J DENY

This says to delete a rule. To append(or add) a rule use the -A switch like this:

/sbin/ipchains -A input -s 192.168.0.129 -J DENY

For a range of IP addr you can use the IP/subnet-mask notation (eg 192.168.0.0/255.255.255.0)

If this machine is a gateway for a network you should probably specify the interface the rule should apply to. For example if eth0 is your interface to the Internet and eth1 is your interface to your LAN then the following two rules should probably be used.

1)/sbin/ipchains -A input -i eth0 -s 192.168.0.0/255.255.255.0 -J DENY

2)/sbin/ipchains -A input -i eth1 -d 192.168.0.0/255.255.255.0 -J DENY  

Rule 1 says block everything coming from the specified network and rule 2 says block everything going to the network
0
 

Author Comment

by:vatsasri
ID: 6300785
hello MFCRich,

thanx for ur time, but I want to block a range of IP under a same subnet. If I follow the rule then, If I want to block 50 continuous address then, I have to enter 50 number of entries in the script. Is there any shortcut?

Regards,

Srivatsa
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6300956
You could brake down the block of 50 continuous IPs into subnets of 32, 16, 8, ... addresses. The best you could hope for would be three rules for each interface ( subnets of 32, 16, and 2) It depends on the upper and lower boundries of the 50 addresses you want to block.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:garisoain
ID: 6303061
Hey there!

if it's an internal network, a good solution is to split the network into 192.168.0.x for the blocked machines, 192.168.1.x for non-blocked machines, for example.

So you can block all the 192.168.0.0/24 network with one simple chain...

hope this helps.
-garisoain

0
 

Author Comment

by:vatsasri
ID: 6304306

In this case can I have two set of IPs (192.168.0.0/24 & 192.168.1.0/24) on one NIC?

Can u please tell me how do I do it under LinuxConf(I use this since it is very handy)
0
 
LVL 4

Accepted Solution

by:
garisoain earned 100 total points
ID: 6308764
Hey there.
do you want to access 2 sets of IP?
or you want your NIC to have 2 different IP?

I have never used Linuxconf (Slackware User), so I won't be useful about it...

But, from the linux console, all you got to do is:

For the first, you only need to add 'logic' communication to the other network, the 'route' command will do.

I don't remember the exact syntax of the command, but its something like:

# route add 192.168.1.0

so your Box can 'see' the 192.168.1.0/24 network too.

If you want your NIC to have 2 different IP, you're looking for IP-Aliasing, 'ifconfig' can do this. (but you need to support this from kernel)

# ifconfig eth0 192.168.0.1
# ifconfig eth0:alias 192.168.3.254

with this, your NIC will be 192.168.0.1 AND 192.168.3.254.

I don't have a Linux box near, so i'll need to send you to the manuals... =/

man ifconfig
man route

Hope this helps...
-garisoain
0
 
LVL 1

Expert Comment

by:CrypToniC
ID: 6321750
If the machines to be blocked are in continuous order
try...(not tested just an idea...I use this with ipfwd)

ip=40
while [ $ip -le 90 ]
  do
    ipchains -A input -d 10.1.2.$ip/24 -j REJECT
    ip=$((ip+1))
  done


However this would add 50 rules, I do not know if this
will affect overall efficiency

0
 
LVL 6

Expert Comment

by:st_steve
ID: 7036336
And you can use the --destination-port parameter to block a range of ports

eg:

--destination-port 135:139
0
 

Expert Comment

by:CleanupPing
ID: 9086728
vatsasri:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question