[svlug] Removing an entire subnet with iptables?

David Masten dmasten at piratelabs.org
Sun Nov 9 00:13:44 PST 2003


On Sat, 2003-11-08 at 23:00, dfox wrote:
> OK so I am a newbie at iptables and filtering :).

> Now, I'm trying to construct an ipchains rule to get rid of this site 
> (figuratively speaking, of course, at least drop its packets on the 
> floor). iptables -D INPUT -p tcp -s 61.187.156/32 -j DROP
> 
> Best I could come up with after reading the man pages was:
> 
> # iptables -A INPUT -p tcp -s 61.187.156/32 -j DROP
> 
> But that drops 61.187.0.156, not what I want.
> 
> I imagine I don't have to do one iptables for all 255 possible entries :(?

What you probably want is:
iptables -A INPUT -p tcp -s 61.187.156.0/24 -j DROP

(BTW, I'm not an iptables guru, but I do know networking.)

It looks like the only thing wrong is the source address. You always
want 4 numbers for the IP address. A network also has an IP address
(61.187.156.0 is the IP address for the entire subnet). The last part of
the source option, the '/xx' tells the system how big the network is,
more specifically the number of bits set to one in the subnet mask.
'/32' refers to a single IP address, or a mask of 255.255.255.255. '/24'
means a class C network, 255.255.255.0. '/23' would mean a subnet mask
of 255.255.254.0. And so on.

HTH,
Dave

-- 
David Masten <dmasten at piratelabs.org>




More information about the svlug mailing list