Solved

Block an IP

Posted on 2001-07-19
9
1,348 Views
Last Modified: 2013-12-15

Hello,

Can any body tell me how to block an IP address or range of Addresses under IPChains. I tried several options to block the same. Also I am findiing it difficult to block range of Ports,

/sbin/ipchains -D input -s 192.168.0.129 -J DENY
0
Comment
Question by:vatsasri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 4

Expert Comment

by:MFCRich
ID: 6300741
/sbin/ipchains -D input -s 192.168.0.129 -J DENY

This says to delete a rule. To append(or add) a rule use the -A switch like this:

/sbin/ipchains -A input -s 192.168.0.129 -J DENY

For a range of IP addr you can use the IP/subnet-mask notation (eg 192.168.0.0/255.255.255.0)

If this machine is a gateway for a network you should probably specify the interface the rule should apply to. For example if eth0 is your interface to the Internet and eth1 is your interface to your LAN then the following two rules should probably be used.

1)/sbin/ipchains -A input -i eth0 -s 192.168.0.0/255.255.255.0 -J DENY

2)/sbin/ipchains -A input -i eth1 -d 192.168.0.0/255.255.255.0 -J DENY  

Rule 1 says block everything coming from the specified network and rule 2 says block everything going to the network
0
 

Author Comment

by:vatsasri
ID: 6300785
hello MFCRich,

thanx for ur time, but I want to block a range of IP under a same subnet. If I follow the rule then, If I want to block 50 continuous address then, I have to enter 50 number of entries in the script. Is there any shortcut?

Regards,

Srivatsa
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6300956
You could brake down the block of 50 continuous IPs into subnets of 32, 16, 8, ... addresses. The best you could hope for would be three rules for each interface ( subnets of 32, 16, and 2) It depends on the upper and lower boundries of the 50 addresses you want to block.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:garisoain
ID: 6303061
Hey there!

if it's an internal network, a good solution is to split the network into 192.168.0.x for the blocked machines, 192.168.1.x for non-blocked machines, for example.

So you can block all the 192.168.0.0/24 network with one simple chain...

hope this helps.
-garisoain

0
 

Author Comment

by:vatsasri
ID: 6304306

In this case can I have two set of IPs (192.168.0.0/24 & 192.168.1.0/24) on one NIC?

Can u please tell me how do I do it under LinuxConf(I use this since it is very handy)
0
 
LVL 4

Accepted Solution

by:
garisoain earned 50 total points
ID: 6308764
Hey there.
do you want to access 2 sets of IP?
or you want your NIC to have 2 different IP?

I have never used Linuxconf (Slackware User), so I won't be useful about it...

But, from the linux console, all you got to do is:

For the first, you only need to add 'logic' communication to the other network, the 'route' command will do.

I don't remember the exact syntax of the command, but its something like:

# route add 192.168.1.0

so your Box can 'see' the 192.168.1.0/24 network too.

If you want your NIC to have 2 different IP, you're looking for IP-Aliasing, 'ifconfig' can do this. (but you need to support this from kernel)

# ifconfig eth0 192.168.0.1
# ifconfig eth0:alias 192.168.3.254

with this, your NIC will be 192.168.0.1 AND 192.168.3.254.

I don't have a Linux box near, so i'll need to send you to the manuals... =/

man ifconfig
man route

Hope this helps...
-garisoain
0
 
LVL 1

Expert Comment

by:CrypToniC
ID: 6321750
If the machines to be blocked are in continuous order
try...(not tested just an idea...I use this with ipfwd)

ip=40
while [ $ip -le 90 ]
  do
    ipchains -A input -d 10.1.2.$ip/24 -j REJECT
    ip=$((ip+1))
  done


However this would add 50 rules, I do not know if this
will affect overall efficiency

0
 
LVL 6

Expert Comment

by:st_steve
ID: 7036336
And you can use the --destination-port parameter to block a range of ports

eg:

--destination-port 135:139
0
 

Expert Comment

by:CleanupPing
ID: 9086728
vatsasri:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unix process listing into CSV format 3 83
linux 13 144
IP 10.0.1.2 / 255.0.0.0 61 104
how to include conditional log rotate in liunx. 17 101
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question