[svlug] Removing an entire subnet with iptables?

David Masten dmasten at piratelabs.org
Sun Nov 9 00:13:44 PST 2003

On Sat, 2003-11-08 at 23:00, dfox wrote:
> OK so I am a newbie at iptables and filtering :).

> Now, I'm trying to construct an ipchains rule to get rid of this site 
> (figuratively speaking, of course, at least drop its packets on the 
> floor). iptables -D INPUT -p tcp -s 61.187.156/32 -j DROP
> Best I could come up with after reading the man pages was:
> # iptables -A INPUT -p tcp -s 61.187.156/32 -j DROP
> But that drops, not what I want.
> I imagine I don't have to do one iptables for all 255 possible entries :(?

What you probably want is:
iptables -A INPUT -p tcp -s -j DROP

(BTW, I'm not an iptables guru, but I do know networking.)

It looks like the only thing wrong is the source address. You always
want 4 numbers for the IP address. A network also has an IP address
( is the IP address for the entire subnet). The last part of
the source option, the '/xx' tells the system how big the network is,
more specifically the number of bits set to one in the subnet mask.
'/32' refers to a single IP address, or a mask of '/24'
means a class C network, '/23' would mean a subnet mask
of And so on.


David Masten <dmasten at piratelabs.org>

More information about the svlug mailing list