* IP-Range and Subnetmask
@ 2003-11-05 21:20 Bewerbungsadresse@web.de
2003-11-05 21:42 ` Thomas Themel
0 siblings, 1 reply; 5+ messages in thread
From: Bewerbungsadresse@web.de @ 2003-11-05 21:20 UTC (permalink / raw)
To: netfilter
hi
i´ve a simple question
is it possible to prevent spoofing attacks to 172.16.0.0-172.31.255.255
on the external internet IP in one rule?
something like that
iptables -A INPUT -p tcp -s 172.16.0.0/255.31.0.0 -d $INET_IP -i ppp0 -j
SPOOFED
???
but i think the rule above is wrong
so: is it possible at all?
or do i have to write a loop or all single ip-ranges manually?
thx
greez
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: IP-Range and Subnetmask
2003-11-05 21:20 IP-Range and Subnetmask Bewerbungsadresse@web.de
@ 2003-11-05 21:42 ` Thomas Themel
2003-11-07 5:27 ` Mark E. Donaldson
0 siblings, 1 reply; 5+ messages in thread
From: Thomas Themel @ 2003-11-05 21:42 UTC (permalink / raw)
To: Bewerbungsadresse@web.de; +Cc: netfilter
bewerbungsadresse@web.de wrote on 2003-11-05:
> is it possible to prevent spoofing attacks to 172.16.0.0-172.31.255.255
> something like that
> iptables -A INPUT -p tcp -s 172.16.0.0/255.31.0.0 -d $INET_IP -i ppp0 -j
> SPOOFED
>
> but i think the rule above is wrong
It is. Netmasks are comprised of a sequence of 0..* ones followed by a
sequence of 0..* zeroes, which is why you can write them as /nn, nn
being the number of ones.
255.31.0.0 = 1111 1111 0000 1111 0000 0000 0000 0000
What you want is
1111 1111 1111 0000 0000 0000 0000 0000 -> /12 if you want it easy,
255.240.0.0 if you like doing binary conversion.
> so: is it possible at all?
> or do i have to write a loop or all single ip-ranges manually?
Not in this case (since you've got an area that fits exactly into a
/12).
ciao,
--
[*Thomas Themel*] While differing widely in the various little bits we know,
[extended contact] in our infinite ignorance we are all equal.
[info provided in]
[*message header*] - Karl Popper
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: IP-Range and Subnetmask
2003-11-05 21:42 ` Thomas Themel
@ 2003-11-07 5:27 ` Mark E. Donaldson
0 siblings, 0 replies; 5+ messages in thread
From: Mark E. Donaldson @ 2003-11-07 5:27 UTC (permalink / raw)
To: Thomas Themel, Bewerbungsadresse@web.de; +Cc: netfilter
I think this is what you are looking for:
CLASS_B="172.16.0.0/12"
$IPT -t filter -A SPOOFING_RULES -i $FW_INET_IFACE -s $CLASS_B -j
LOG --log-level $LOG_LEVEL --log-prefix "IP SPOOFING ATTEMPT: "
$IPT -t filter -A SPOOFING_RULES -i $FW_INET_IFACE -s $CLASS_B -j DROP
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Thomas Themel
Sent: Wednesday, November 05, 2003 1:42 PM
To: Bewerbungsadresse@web.de
Cc: netfilter@lists.netfilter.org
Subject: Re: IP-Range and Subnetmask
bewerbungsadresse@web.de wrote on 2003-11-05:
> is it possible to prevent spoofing attacks to 172.16.0.0-172.31.255.255
> something like that
> iptables -A INPUT -p tcp -s 172.16.0.0/255.31.0.0 -d $INET_IP -i ppp0 -j
> SPOOFED
>
> but i think the rule above is wrong
It is. Netmasks are comprised of a sequence of 0..* ones followed by a
sequence of 0..* zeroes, which is why you can write them as /nn, nn
being the number of ones.
255.31.0.0 = 1111 1111 0000 1111 0000 0000 0000 0000
What you want is
1111 1111 1111 0000 0000 0000 0000 0000 -> /12 if you want it easy,
255.240.0.0 if you like doing binary conversion.
> so: is it possible at all?
> or do i have to write a loop or all single ip-ranges manually?
Not in this case (since you've got an area that fits exactly into a
/12).
ciao,
--
[*Thomas Themel*] While differing widely in the various little bits we
know,
[extended contact] in our infinite ignorance we are all equal.
[info provided in]
[*message header*] - Karl Popper
^ permalink raw reply [flat|nested] 5+ messages in thread
* IP-Range and Subnetmask
@ 2003-11-05 21:21 Bewerbungsadresse@web.de
0 siblings, 0 replies; 5+ messages in thread
From: Bewerbungsadresse@web.de @ 2003-11-05 21:21 UTC (permalink / raw)
To: netfilter
hi
i´ve a simple question
is it possible to prevent spoofing attacks to 172.16.0.0-172.31.255.255
on the external internet IP in one rule?
something like that
iptables -A INPUT -p tcp -s 172.16.0.0/255.31.0.0 -d $INET_IP -i ppp0 -j
SPOOFED
???
but i think the rule above is wrong
so: is it possible at all?
or do i have to write a loop or all single ip-ranges manually?
thx
greez
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: IP-Range and Subnetmask
@ 2003-11-06 11:18 Martin Ferrari - Decidir IT
0 siblings, 0 replies; 5+ messages in thread
From: Martin Ferrari - Decidir IT @ 2003-11-06 11:18 UTC (permalink / raw)
To: 'netfilter@lists.netfilter.org'
Use the CIDR notation:
172.16.0.0/12
ex.: iptables -A INPUT -p tcp -s 172.16.0.0/12 -d $INET_IP -i ppp0 -j
SPOOFED
> From: Bewerbungsadresse@web.de [mailto:bewerbungsadresse@web.de]
> Sent: Wednesday, November 05, 2003 6:21 PM
> is it possible to prevent spoofing attacks to
> 172.16.0.0-172.31.255.255
> on the external internet IP in one rule?
>
> something like that
>
> iptables -A INPUT -p tcp -s 172.16.0.0/255.31.0.0 -d $INET_IP
> -i ppp0 -j
> SPOOFED
This was wrong, as the netmask should have been 255.240.0.0; the former
netmask was invalid.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-11-07 5:27 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-11-05 21:20 IP-Range and Subnetmask Bewerbungsadresse@web.de
2003-11-05 21:42 ` Thomas Themel
2003-11-07 5:27 ` Mark E. Donaldson
-- strict thread matches above, loose matches on Subject: below --
2003-11-05 21:21 Bewerbungsadresse@web.de
2003-11-06 11:18 Martin Ferrari - Decidir IT
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox