Ah, so - I was wrong, iptable rules do take address ranges.
I must have been reading a very, very old manual page. Sorry.
You could put the blocking rules in output/postrouting.
If you wanted to keep track of things, you could add -j ulog or -j log before each of the blocking rules.
That would write a log line of the specific ip address(es) in a range that are bring used.
How I came up with the ranges was to do a 'whois' on each of the few addresses that I saw to find who and what size the address range belonged to.
My reasoning being, it is fairly easy to change a domain name, or even a machine's address but to buy another entire address range, just to side-step a publicly posted block would be an unlikely thing for Amazon to do.
Note 1: later in that thread the firmware does try to find IPv6 addresses -
If you have IPv6 connectivity there, it might be best to limit the machine to IPv4 only.
Note 2: It is very unlikely that this prevents 3G communications if your Kindle has 3G - that is a matter still to be dealt with.
|