?
Solved

Block an IP

Posted on 2001-07-19
9
Medium Priority
?
1,351 Views
Last Modified: 2013-12-15

Hello,

Can any body tell me how to block an IP address or range of Addresses under IPChains. I tried several options to block the same. Also I am findiing it difficult to block range of Ports,

/sbin/ipchains -D input -s 192.168.0.129 -J DENY
0
Comment
Question by:vatsasri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 4

Expert Comment

by:MFCRich
ID: 6300741
/sbin/ipchains -D input -s 192.168.0.129 -J DENY

This says to delete a rule. To append(or add) a rule use the -A switch like this:

/sbin/ipchains -A input -s 192.168.0.129 -J DENY

For a range of IP addr you can use the IP/subnet-mask notation (eg 192.168.0.0/255.255.255.0)

If this machine is a gateway for a network you should probably specify the interface the rule should apply to. For example if eth0 is your interface to the Internet and eth1 is your interface to your LAN then the following two rules should probably be used.

1)/sbin/ipchains -A input -i eth0 -s 192.168.0.0/255.255.255.0 -J DENY

2)/sbin/ipchains -A input -i eth1 -d 192.168.0.0/255.255.255.0 -J DENY  

Rule 1 says block everything coming from the specified network and rule 2 says block everything going to the network
0
 

Author Comment

by:vatsasri
ID: 6300785
hello MFCRich,

thanx for ur time, but I want to block a range of IP under a same subnet. If I follow the rule then, If I want to block 50 continuous address then, I have to enter 50 number of entries in the script. Is there any shortcut?

Regards,

Srivatsa
0
 
LVL 4

Expert Comment

by:MFCRich
ID: 6300956
You could brake down the block of 50 continuous IPs into subnets of 32, 16, 8, ... addresses. The best you could hope for would be three rules for each interface ( subnets of 32, 16, and 2) It depends on the upper and lower boundries of the 50 addresses you want to block.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 4

Expert Comment

by:garisoain
ID: 6303061
Hey there!

if it's an internal network, a good solution is to split the network into 192.168.0.x for the blocked machines, 192.168.1.x for non-blocked machines, for example.

So you can block all the 192.168.0.0/24 network with one simple chain...

hope this helps.
-garisoain

0
 

Author Comment

by:vatsasri
ID: 6304306

In this case can I have two set of IPs (192.168.0.0/24 & 192.168.1.0/24) on one NIC?

Can u please tell me how do I do it under LinuxConf(I use this since it is very handy)
0
 
LVL 4

Accepted Solution

by:
garisoain earned 100 total points
ID: 6308764
Hey there.
do you want to access 2 sets of IP?
or you want your NIC to have 2 different IP?

I have never used Linuxconf (Slackware User), so I won't be useful about it...

But, from the linux console, all you got to do is:

For the first, you only need to add 'logic' communication to the other network, the 'route' command will do.

I don't remember the exact syntax of the command, but its something like:

# route add 192.168.1.0

so your Box can 'see' the 192.168.1.0/24 network too.

If you want your NIC to have 2 different IP, you're looking for IP-Aliasing, 'ifconfig' can do this. (but you need to support this from kernel)

# ifconfig eth0 192.168.0.1
# ifconfig eth0:alias 192.168.3.254

with this, your NIC will be 192.168.0.1 AND 192.168.3.254.

I don't have a Linux box near, so i'll need to send you to the manuals... =/

man ifconfig
man route

Hope this helps...
-garisoain
0
 
LVL 1

Expert Comment

by:CrypToniC
ID: 6321750
If the machines to be blocked are in continuous order
try...(not tested just an idea...I use this with ipfwd)

ip=40
while [ $ip -le 90 ]
  do
    ipchains -A input -d 10.1.2.$ip/24 -j REJECT
    ip=$((ip+1))
  done


However this would add 50 rules, I do not know if this
will affect overall efficiency

0
 
LVL 6

Expert Comment

by:st_steve
ID: 7036336
And you can use the --destination-port parameter to block a range of ports

eg:

--destination-port 135:139
0
 

Expert Comment

by:CleanupPing
ID: 9086728
vatsasri:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses
Course of the Month8 days, 23 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question