View Single Post
Old 10-08-2012, 08:36 PM   #19
knc1
Helpdesk Junkie
knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.knc1 ought to be getting tired of karma fortunes by now.
 
knc1's Avatar
 
Posts: 6,818
Karma: 6314522
Join Date: Feb 2012
Device: Too many.
Quote:
Originally Posted by twobob View Post
my iptables Fu is weak today... but I will have a quick play.



heck that's a lot of IP's
now... ranges.. let me go read some things... IIRC they weren't supported.

Nope.. I'm wrong:




hmm.. let's see if we support that.

iptables -I OUTPUT -p tcp -m iprange --src-range 23.0.0.1-23.15.255.254 -j DROP



NOTE: The order is important in this case I think. first match wins IIRC, so -I is important in the OUTPUT DROP ruleset. pre-pending the general ACCEPT all.

So yup looks like that would be a working solution if extrapolated from my single worked example and KNC1's list.

HTH
Suggestion: Remove the protocol qualification from the rule.
Fix: That should be "--dst-range" addresses to block on output, not the source addresses.

.

Last edited by knc1; 10-08-2012 at 08:42 PM.
knc1 is online now   Reply With Quote