View Single Post
Old 10-08-2012, 07:36 PM   #19
knc1
Embedded Cheerleader
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 6,519
Karma: 5840130
Join Date: Feb 2012
Device: Too many.
Quote:
Originally Posted by twobob View Post
my iptables Fu is weak today... but I will have a quick play.



heck that's a lot of IP's
now... ranges.. let me go read some things... IIRC they weren't supported.

Nope.. I'm wrong:




hmm.. let's see if we support that.

iptables -I OUTPUT -p tcp -m iprange --src-range 23.0.0.1-23.15.255.254 -j DROP



NOTE: The order is important in this case I think. first match wins IIRC, so -I is important in the OUTPUT DROP ruleset. pre-pending the general ACCEPT all.

So yup looks like that would be a working solution if extrapolated from my single worked example and KNC1's list.

HTH
Suggestion: Remove the protocol qualification from the rule.
Fix: That should be "--dst-range" addresses to block on output, not the source addresses.

.

Last edited by knc1; 10-08-2012 at 07:42 PM.
knc1 is offline   Reply With Quote