Need to block wan ip address that ranges from 172.XXX.XXX.80 - 100.

How can I block not just the range of 80 - 100, but the full WAN IP? Can I put a block in the firewall for 172.XXX.XXX.0 and that will cover that whole IP range??
jmahlmannAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

farzanjCommented:
Yes you can.  Which firewall are you using?  A network (Cisco PIX)? Or a Linux firewall??

Warning:  This can cause unexpected problems as it would stop all of your WAN network traffic even DNS lookups.

Allow the addresses you want --your internal address ranges and disallow the rest.

For iptables

iptables -A INPUT -s 172.0.0.0 -j ACCEPT
iptables -A INPUT -s 0/0 -j DROP

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HaiFaiCommented:
Hi

Yes this should work 172.XXX.XXX.0/24 (that 24 is shortcut for mask 255.255.255.0)
or 172.XXX.XXX.0 if you cannot specify mask there.
0
schmitty007Commented:
Depending on what device you are using as a firewall the steps to apply this filter will be different but, you can block a range of IPs or different subnets with most firewalls by simply entering the IP range or subnet you wish to block.

Example: 172.0.0.0 /8 or 172.0.0.0 255.0.0.0 that will block all 172.x.x.x addresses but the principle applies. A good idea for you might be to download/look up a subneting app either to your phone or on the web and input the IPs you want to block and move the subnet until it best fits the range you want to block.

As poster above has stated this may cause undesirable effects in block web pages or services you don't intend to block.
Also note that 172.16.0.0 to 172.31.255.255 address range is reserved for private use and do not route over the internet. And that subnet is represented by 172.16.0.0/19 or 172.16.0.0 255.255.224.0.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

gheistCommented:
172.x.x.x may be a RFC1918 address thus really you might need to ask your WAN provider to block martian traffic.
0
madunixCommented:
try to drop the network block on the interfaces of your network router
ip route x.y.z.0 255.255.255.0 Null0
0
gheistCommented:
Normally provider has to do it, but does not hurt if you find they do not. Say mine is leaking 10.x.x.x of their service network all the time...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.