How to block a range of IPs?

How to block a range of IPs?

[Afshin Lamei]

Hi,
How can I write a rule for a custom range of IPs? for example, I want to 
block every WWW packet incoming from eth1, which source is an IP between 
192.168.1.10 and 192.168.1.20.
please help me writing an example.
thank you
afshin





_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail

RE: How to block a range of IPs?

[Michael K]

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Afshin Lamei
> Sent: Sunday, April 27, 2003 8:12 AM
> To: netfilter@lists.netfilter.org
> Subject: How to block a range of IPs?
> 
> 
> Hi,
> How can I write a rule for a custom range of IPs? for 
> example, I want to 
> block every WWW packet incoming from eth1, which source is an 
> IP between 
> 192.168.1.10 and 192.168.1.20.
> please help me writing an example.
> thank you
> afshin
> 
> 

You can't, but if you subnet, the closest will be 192.168.1.1 to
192.168.0.14 using mask 255.255.255.240.
Or 192.168.1.1 to 192.168.0.30 using mask 255.255.255.224.

Example:
iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/255.255.255.240 --dport
www -j DROP

/Klintan

Re: How to block a range of IPs?

[Cedric Blancher]

Le dim 27/04/2003 à 08:11, Afshin Lamei a écrit :
> How can I write a rule for a custom range of IPs? for example, I want to 
> block every WWW packet incoming from eth1, which source is an IP between 
> 192.168.1.10 and 192.168.1.20.

A bit HS, but a quite wonderful tool for this kind of situation.
netmask, distributed with Debian, allows you to find all subnets that
cover an arbitrary IP range :

	cbr@elendil:~$ netmask 192.168.1.10:192.168.1.20
	   192.168.1.10/31
	   192.168.1.12/30
	   192.168.1.16/30
	   192.168.1.20/32

Now you have coverd your range, just implement your 4 rules.

The other solution is to find a single subnet that covers your whole
range. In your case, the minimal one seems to 192.168.1.1/27 that covers
from 192.168.1.1 to 192.168.1.31.

	cbr@elendil:~$ netmask -r 192.168.1.1/27
	    192.168.1.0-192.168.1.31    (32)

Now you have a single rule, but it covers a much larger range than you
need.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

RE: How to block a range of IPs?

[Martin Josefsson]

On Sun, 2003-04-27 at 09:25, Michael K wrote:
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org 
> > [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Afshin Lamei
> > Sent: Sunday, April 27, 2003 8:12 AM
> > To: netfilter@lists.netfilter.org
> > Subject: How to block a range of IPs?
> > 
> > 
> > Hi,
> > How can I write a rule for a custom range of IPs? for 
> > example, I want to 
> > block every WWW packet incoming from eth1, which source is an 
> > IP between 
> > 192.168.1.10 and 192.168.1.20.
> > please help me writing an example.
> > thank you
> > afshin
> > 
> > 
> 
> You can't, but if you subnet, the closest will be 192.168.1.1 to
> 192.168.0.14 using mask 255.255.255.240.
> Or 192.168.1.1 to 192.168.0.30 using mask 255.255.255.224.

Actually you can... with the new iprange match in patch-o-matic.

-- 
/Martin

FWD: Re: How to block a range of IPs?

[Julius Wijaya]

I have been told something like this, but haven't tried it yet.

On Sat, 19 Apr 2003, Magosányi Árpád wrote:

> A levelezõm azt hiszi, hogy Wijaya, J. a következõeket írta:
> > I am trying to block yahoo messenger for my LAN, but only on certain ip
> > range, how can i do this? i already read some articles that we can't do
> > this with iptables, but is there any other way to work around this
task??
>
> I have ran into the problem just two days ago. József Kadlecsik made
some
> vague promise-like statements to the phone about writing a match for the
> ip range case.

I have just committed the iprange match in the netfilter cvs

as a base patch in patch-o-matic.

The new match makes possible to match source/destination IP addresses
against inclusive IP address ranges.

Examples:

iptables -A FORWARD -m iprange --src-range 192.168.1.5-192.168.1.124 -j
ACCEPT
iptables -A FORWARD -m iprange --dst-range 10.0.0.0-10.5.255.255.255 -j
ACCEPT

Visit http://www.netfilter.org on how to access the cvs repository.

Best regards,
Jozsef
--
E-mail : kadlec@sunserv.kfki.hu, kadlec@blackhole.kfki.hu
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: KFKI Research Institute for Particle and Nuclear Physics
         H-1525 Budapest 114, POB. 49, Hungary


*********** REPLY SEPARATOR  ***********

On 27/04/2003 at 10:41 AM Afshin Lamei wrote:

>Hi,
>How can I write a rule for a custom range of IPs? for example, I want to
>block every WWW packet incoming from eth1, which source is an IP between
>192.168.1.10 and 192.168.1.20.
>please help me writing an example.
>thank you
>afshin
>
>
>
>
>
>_________________________________________________________________
>Help STOP SPAM with the new MSN 8 and get 2 months FREE*
>http://join.msn.com/?page=features/junkmail

iptables with LDAP authentication

[Yogesh Subhash Talekar]

hi,

I have a full Class C real IP network. All department have their own Linux
servers and the last IP (X.X.X.254) is given to the CISCO router which is
our gateway to Internet. Currently i have a OpenBSD firewall configured as
bridge with IP-filter.

Now I want to go with Linux firewall, if it will have following features:

1. It will run IP-tables firewall and will authenticate everyone (rather
each session for each type of service .. http, ftp, ssh etc.) against the
central LDAP server which is on some other server.

2. It will put on bandwidth restriction on each campus departmental
server. (it is possible with tc/qdisc)

All I want to know is ... is it possible to authenticate the traffic
flowing thro' a Linux ip-tables bridging firewall against a central
OpenLDAP database?
Will it maintain the sessions for each user separately for HTTP (Squid?),
FTP and telnet or ssh ? Is it possible to log per head traffic and ban
them if the exceed some limit (say 200 MB per month).

Any suggestions/ links / advice will be highly appriciated.

thanks in advance

--yogesh

Re: iptables with LDAP authentication

[Alex Nee]

Would It be possible to maybe get an LDAP server to Inject
Rules as needed via a SSH Tunnel into the Gateway as people were
authenticated ...

then as for quotas use the ipt_quota PoM patch (works well for me)
there is also talk on the developer IRC channels that ipt_quota maybee
getting
a hard & soft limit options aswell, so established & related connections
wont be hard cut off at the limit
effectivelly allowing 'allot' of clients to finnished there web surfing ect
before they get cut off permantly .(until a quota resets or an admin renews
it for them)

----- Original Message -----
From: "Yogesh Subhash Talekar" <yogesh@unipune.ernet.in>
To: <netfilter@lists.netfilter.org>
Sent: Monday, April 28, 2003 10:34 PM
Subject: iptables with LDAP authentication


> hi,
>
> I have a full Class C real IP network. All department have their own Linux
> servers and the last IP (X.X.X.254) is given to the CISCO router which is
> our gateway to Internet. Currently i have a OpenBSD firewall configured as
> bridge with IP-filter.
>
> Now I want to go with Linux firewall, if it will have following features:
>
> 1. It will run IP-tables firewall and will authenticate everyone (rather
> each session for each type of service .. http, ftp, ssh etc.) against the
> central LDAP server which is on some other server.
>
> 2. It will put on bandwidth restriction on each campus departmental
> server. (it is possible with tc/qdisc)
>
> All I want to know is ... is it possible to authenticate the traffic
> flowing thro' a Linux ip-tables bridging firewall against a central
> OpenLDAP database?
> Will it maintain the sessions for each user separately for HTTP (Squid?),
> FTP and telnet or ssh ? Is it possible to log per head traffic and ban
> them if the exceed some limit (say 200 MB per month).
>
> Any suggestions/ links / advice will be highly appriciated.
>
> thanks in advance
>
> --yogesh

RE: iptables with LDAP authentication

[Khanh Tran]

Check out: 

http://www.linuxselfhelp.com/HOWTO/Authentication-Gateway-HOWTO/setup.html

Scroll down to the 3.2 section.  It has a link to a iptables PAM that
supposedly will insert the proper iptables lines to allow the authenticated
client access through the firewall.  Hope this helps...

Khanh Tran
Network Operations
Sarah Lawrence College


-----Original Message-----
From: Yogesh Subhash Talekar [mailto:yogesh@unipune.ernet.in]
Sent: Monday, April 28, 2003 8:35 AM
To: netfilter@lists.netfilter.org
Subject: iptables with LDAP authentication


hi,

I have a full Class C real IP network. All department have their own Linux
servers and the last IP (X.X.X.254) is given to the CISCO router which is
our gateway to Internet. Currently i have a OpenBSD firewall configured as
bridge with IP-filter.

Now I want to go with Linux firewall, if it will have following features:

1. It will run IP-tables firewall and will authenticate everyone (rather
each session for each type of service .. http, ftp, ssh etc.) against the
central LDAP server which is on some other server.

2. It will put on bandwidth restriction on each campus departmental
server. (it is possible with tc/qdisc)

All I want to know is ... is it possible to authenticate the traffic
flowing thro' a Linux ip-tables bridging firewall against a central
OpenLDAP database?
Will it maintain the sessions for each user separately for HTTP (Squid?),
FTP and telnet or ssh ? Is it possible to log per head traffic and ban
them if the exceed some limit (say 200 MB per month).

Any suggestions/ links / advice will be highly appriciated.

thanks in advance

--yogesh

Re: iptables with LDAP authentication

[Stefan Nehlsen]

On Tue, Apr 29, 2003 at 09:05:32PM -0400, Khanh Tran wrote:
> Check out: 
> 
> http://www.linuxselfhelp.com/HOWTO/Authentication-Gateway-HOWTO/setup.html
> 
> Scroll down to the 3.2 section.  It has a link to a iptables PAM that
> supposedly will insert the proper iptables lines to allow the authenticated
> client access through the firewall.  Hope this helps...

How about using ippool?

Instead of using adding and deleting rules, it seems to be easier to me to
filter on pools.

Modifications will be made to the pools.

What is the status of the pool-stuff?

Does it work?

Is it in use?


cu, Stefan

> hi,
> 
> I have a full Class C real IP network. All department have their own Linux
> servers and the last IP (X.X.X.254) is given to the CISCO router which is
> our gateway to Internet. Currently i have a OpenBSD firewall configured as
> bridge with IP-filter.
> 
> Now I want to go with Linux firewall, if it will have following features:
> 
> 1. It will run IP-tables firewall and will authenticate everyone (rather
> each session for each type of service .. http, ftp, ssh etc.) against the
> central LDAP server which is on some other server.
> 
> 2. It will put on bandwidth restriction on each campus departmental
> server. (it is possible with tc/qdisc)
> 
> All I want to know is ... is it possible to authenticate the traffic
> flowing thro' a Linux ip-tables bridging firewall against a central
> OpenLDAP database?
> Will it maintain the sessions for each user separately for HTTP (Squid?),
> FTP and telnet or ssh ? Is it possible to log per head traffic and ban
> them if the exceed some limit (say 200 MB per month).
> 
> Any suggestions/ links / advice will be highly appriciated.
> 
> thanks in advance
> 
> --yogesh
> 

-- 
Stefan Nehlsen | ParlaNet Administration | sn@parlanet.de | +49 431 988-1260