Solved

Block an IP

Posted on 2001-07-19
9
1,345 Views
Last Modified: 2013-12-15

Hello,

Can any body tell me how to block an IP address or range of Addresses under IPChains. I tried several options to block the same. Also I am findiing it difficult to block range of Ports,

/sbin/ipchains -D input -s 192.168.0.129 -J DENY
0
Comment
Question by:vatsasri
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 4

Expert Comment

by:MFCRich
ID: 6300741
/sbin/ipchains -D input -s 192.168.0.129 -J DENY

This says to delete a rule. To append(or add) a rule use the -A switch like this:

/sbin/ipchains -A input -s 192.168.0.129 -J DENY

For a range of IP addr you can use the IP/subnet-mask notation (eg 192.168.0.0/255.255.255.0)

If this machine is a gateway for a network you should probably specify the interface the rule should apply to. For example if eth0 is your interface to the Internet and eth1 is your interface to your LAN then the following two rules should probably be used.

1)/sbin/ipchains -A input -i eth0 -s 192.168.0.0/255.255.255.0 -J DENY

2)/sbin/ipchains -A input -i eth1 -d 192.168.0.0/255.255.255.0 -J DENY  

Rule 1 says block everything coming from the specified network and rule 2 says block everything going to the network
0
 

Author Comment

by:vatsasri
ID: 6300785
hello MFCRich,

thanx for ur time, but I want to block a range of IP under a same subnet. If I follow the rule then, If I want to block 50 continuous address then, I have to enter 50 number of entries in the script. Is there any shortcut?

Regards,

Srivatsa
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6300956
You could brake down the block of 50 continuous IPs into subnets of 32, 16, 8, ... addresses. The best you could hope for would be three rules for each interface ( subnets of 32, 16, and 2) It depends on the upper and lower boundries of the 50 addresses you want to block.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 4

Expert Comment

by:garisoain
ID: 6303061
Hey there!

if it's an internal network, a good solution is to split the network into 192.168.0.x for the blocked machines, 192.168.1.x for non-blocked machines, for example.

So you can block all the 192.168.0.0/24 network with one simple chain...

hope this helps.
-garisoain

0
 

Author Comment

by:vatsasri
ID: 6304306

In this case can I have two set of IPs (192.168.0.0/24 & 192.168.1.0/24) on one NIC?

Can u please tell me how do I do it under LinuxConf(I use this since it is very handy)
0
 
LVL 4

Accepted Solution

by:
garisoain earned 50 total points
ID: 6308764
Hey there.
do you want to access 2 sets of IP?
or you want your NIC to have 2 different IP?

I have never used Linuxconf (Slackware User), so I won't be useful about it...

But, from the linux console, all you got to do is:

For the first, you only need to add 'logic' communication to the other network, the 'route' command will do.

I don't remember the exact syntax of the command, but its something like:

# route add 192.168.1.0

so your Box can 'see' the 192.168.1.0/24 network too.

If you want your NIC to have 2 different IP, you're looking for IP-Aliasing, 'ifconfig' can do this. (but you need to support this from kernel)

# ifconfig eth0 192.168.0.1
# ifconfig eth0:alias 192.168.3.254

with this, your NIC will be 192.168.0.1 AND 192.168.3.254.

I don't have a Linux box near, so i'll need to send you to the manuals... =/

man ifconfig
man route

Hope this helps...
-garisoain
0
 
LVL 1

Expert Comment

by:CrypToniC
ID: 6321750
If the machines to be blocked are in continuous order
try...(not tested just an idea...I use this with ipfwd)

ip=40
while [ $ip -le 90 ]
  do
    ipchains -A input -d 10.1.2.$ip/24 -j REJECT
    ip=$((ip+1))
  done


However this would add 50 rules, I do not know if this
will affect overall efficiency

0
 
LVL 6

Expert Comment

by:st_steve
ID: 7036336
And you can use the --destination-port parameter to block a range of ports

eg:

--destination-port 135:139
0
 

Expert Comment

by:CleanupPing
ID: 9086728
vatsasri:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question