Originally Posted by twobob
my iptables Fu is weak today... but I will have a quick play.
heck that's a lot of IP's
now... ranges.. let me go read some things... IIRC they weren't supported.
Nope.. I'm wrong:
hmm.. let's see if we support that.
iptables -I OUTPUT -p tcp -m iprange --src-range 22.214.171.124-126.96.36.199 -j DROP
NOTE: The order is important in this case I think. first match wins IIRC, so -I is important in the OUTPUT DROP ruleset. pre-pending the general ACCEPT all.
So yup looks like that would be a working solution if extrapolated from my single worked example and KNC1's list.
Suggestion: Remove the protocol qualification from the rule.
Fix: That should be "--dst-range" addresses to block on output, not the source addresses.