View Single Post
Old 10-08-2012, 07:14 PM   #18
twobob
( ͡° ͜ʖ ͡°){ʇlnɐɟ ƃǝs}Týr
twobob ought to be getting tired of karma fortunes by now.twobob ought to be getting tired of karma fortunes by now.twobob ought to be getting tired of karma fortunes by now.twobob ought to be getting tired of karma fortunes by now.twobob ought to be getting tired of karma fortunes by now.twobob ought to be getting tired of karma fortunes by now.twobob ought to be getting tired of karma fortunes by now.twobob ought to be getting tired of karma fortunes by now.twobob ought to be getting tired of karma fortunes by now.twobob ought to be getting tired of karma fortunes by now.twobob ought to be getting tired of karma fortunes by now.
 
twobob's Avatar
 
Posts: 6,586
Karma: 6299991
Join Date: Jun 2012
Location: uti gratia usura (Yao ying da ying; Mo ying da yieng)
Device: PW-WIFI|K5-3G+WIFI| K4|K3-3G|DXG|K2| Rooted Nook Touch
my iptables Fu is weak today... but I will have a quick play.


THE RANGES CONVERTED TO HUMAN
Spoiler:
Quote:
23.0.0.0/12 = 23.0.0.1 - 23.15.255.254

50.16.0.0/14 = 50.16.0.1 - 56.19.255.254

72.21.192.0/19 = 72.21.192.1 - 72.21.223.254

107.20.0.0/14 = 107.20.0.1 - 107.23.255.254

184.72.0.0/15 = 184.72.1 - 184.75.255.254

204.246.160.0/19 = 204.246.160.1 - 204.246.191.254

205.251.192.0/18 = 205.251.192.1 - 205.251.255.254

207.171.160.0/19 = 207.171.160.1 - 207.171.191.254

heck that's a lot of IP's
now... ranges.. let me go read some things... IIRC they weren't supported.

Nope.. I'm wrong:

WHY I'M WRONG
Spoiler:
Quote:
However newer version does support option that allows you to specify a range of IP addresses or ports for regular tables such as input.

Iptables set range of IP addresses

You need to use following options with match extensions (-m Ext).

iprange : This matches on a given arbitrary range of IPv4 addresses.

[!]--src-range ip-ip: Match source IP in the specified range.
[!]--dst-range ip-ip: Match destination IP in the specified range.
Syntax:

-m iprange --src-range IP-IP -j ACTION
-m iprange --dst-range IP-IP -j ACTION

For example, allow incoming request on a port 22 for source IP in the 192.168.1.100-192.168.1.200 range only. You need to add something as follows to your iptables script:

iptables -A INPUT -p tcp --destination-port 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT



hmm.. let's see if we support that.

iptables -I OUTPUT -m iprange --dst-range 23.0.0.1-23.15.255.254 -j DROP


Quote:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere destination IP range 23.0.0.1-23.15.255.254
ACCEPT all -- anywhere localhost.localdomain
NOTE: The order is important in this case I think. first match wins IIRC, so -I is important in the OUTPUT DROP ruleset. pre-pending the general ACCEPT all.

So yup looks like that would be a working solution if extrapolated from my single worked example and KNC1's list.

HTH

EDIT:

HOWEVER ON A 3 THIS GIVES:

Quote:
[root@kindle fonts]# iptables -I OUTPUT -m iprange --dst-range 23.0.0.1-23.15.255.254 -j DROP
iptables v1.3.8: Couldn't load match `iprange':/usr/lib/iptables/libipt_iprange.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
So. err.. I was half right works on a 5. not on the older devices.

Last edited by twobob; 10-08-2012 at 07:41 PM. Reason: tested it as working
twobob is offline   Reply With Quote