Op maandag 28 april 2003 19:52, schreef u: > Op maandag 28 april 2003 19:41, schreef u: > > Op maandag 28 april 2003 18:14, schreef John A. Sullivan III: > > > You can use the tool at http://subnetcreator.sourceforge.net/ to > > > easily determine which subnets are contained in your IP address range. > > > The same logic is being built into the iptables+ management tool being > > > developed in http://iscs.sourceforge.net/ . However,even better,it > > > appears there is a patch available in patch-o-matic that allows one to > > > enter a range directly in iptables. I haven't tried it yet but hope to > > > do so soon to replace that logic in ISCS. Good luck - John > > > > > > On Sun, 2003-04-27 at 10:06, netfilter-request@xxxxxxxxxxxxxxxxxxx > > > > > > wrote: > > > > --__--__-- > > > > > > > > Message: 4 > > > > From: "Afshin Lamei" <linux_st@xxxxxxxxxxx> > > > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > > > Subject: How to block a range of IPs? > > > > Date: Sun, 27 Apr 2003 10:41:54 +0430 > > > > > > > > Hi, > > > > How can I write a rule for a custom range of IPs? for example, I want > > > > to block every WWW packet incoming from eth1, which source is an IP > > > > between 192.168.1.10 and 192.168.1.20. > > > > please help me writing an example. > > > > thank you > > > > afshin > > > > > > > > > > > > > > > > > > > > > > > > _________________________________________________________________ > > > > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > > > > http://join.msn.com/?page=features/junkmail > > > > AT_HOME_RANGE="213.51.16.0/21 213.51.24.0/21" > > > > ${ECHO} -n "Drop and log @HOME_USERS in range: " > > for athomerange in ${AT_HOME_RANGE} ; do > > ${IPTABLES} -A INPUT -i ${EXT_INTERFACE} -s ${athomerange} -m > > limit \ > > -j LOG --log-prefix "@HOME_USER:DROP " > > ${IPTABLES} -A @HOME_CHK -i ${EXT_INTERFACE} -s ${athomerange} > > -j DROP > > ${ECHO} -n "${athomerange} " > > done > > > > this is an example off a line i use , if you wish to have more ranges, > > you have to make a new rule like this ,but another name like > > "AT_HOME_RANGE2" > > > > good luck > > > > Pascal (PC-Secure) > > so in your picture it would be like this :: > > > EXT_INTERFACE="eth1" > IPTABLES="/usr/bin/iptables > AT_HOME_RANGE="192.168.1.10/24 192.168.1.20/24" > > ${ECHO} -n "Drop and log @HOME_USERS in range: " > for athomerange in ${AT_HOME_RANGE} ; do > ${IPTABLES} -A INPUT -i ${EXT_INTERFACE} -s ${athomerange} -m > limit \ > -j LOG --log-prefix "@HOME_USER:DROP " > ${IPTABLES} -A INPUT -i ${EXT_INTERFACE} -s ${athomerange} -j > DROP > ${ECHO} -n "${athomerange} " > done > > ready and go > > Pascal (PC-Secure) ok i forgot your wish for the www port so here it is:: EXT_INTERFACE="eth1" # or INT_INTERFACE IPTABLES="/usr/bin/iptables AT_HOME_RANGE="192.168.1.10/24 192.168.1.20/24" ${ECHO} -n "Drop and log @HOME_USERS in range: " for athomerange in ${AT_HOME_RANGE} ; do ${IPTABLES} -A INPUT -i ${EXT_INTERFACE} -p all -s ${athomerange} \ --dport 80 -m limit -j LOG --log-prefix "@HOME_USER:DROP " ${IPTABLES} -A INPUT -i ${EXT_INTERFACE} -p all -s ${athomerange} \ --dport 80 -j DROP ${ECHO} -n "${athomerange} " done
