[svlug] Removing an entire subnet with iptables?
dmasten at piratelabs.org
Sun Nov 9 00:13:44 PST 2003
On Sat, 2003-11-08 at 23:00, dfox wrote:
> OK so I am a newbie at iptables and filtering :).
> Now, I'm trying to construct an ipchains rule to get rid of this site
> (figuratively speaking, of course, at least drop its packets on the
> floor). iptables -D INPUT -p tcp -s 61.187.156/32 -j DROP
> Best I could come up with after reading the man pages was:
> # iptables -A INPUT -p tcp -s 61.187.156/32 -j DROP
> But that drops 184.108.40.206, not what I want.
> I imagine I don't have to do one iptables for all 255 possible entries :(?
What you probably want is:
iptables -A INPUT -p tcp -s 220.127.116.11/24 -j DROP
(BTW, I'm not an iptables guru, but I do know networking.)
It looks like the only thing wrong is the source address. You always
want 4 numbers for the IP address. A network also has an IP address
(18.104.22.168 is the IP address for the entire subnet). The last part of
the source option, the '/xx' tells the system how big the network is,
more specifically the number of bits set to one in the subnet mask.
'/32' refers to a single IP address, or a mask of 255.255.255.255. '/24'
means a class C network, 255.255.255.0. '/23' would mean a subnet mask
of 255.255.254.0. And so on.
David Masten <dmasten at piratelabs.org>
More information about the svlug