bewerbungsadresse@xxxxxx wrote on 2003-11-05: > is it possible to prevent spoofing attacks to 172.16.0.0-172.31.255.255 > something like that > iptables -A INPUT -p tcp -s 172.16.0.0/255.31.0.0 -d $INET_IP -i ppp0 -j > SPOOFED > > but i think the rule above is wrong It is. Netmasks are comprised of a sequence of 0..* ones followed by a sequence of 0..* zeroes, which is why you can write them as /nn, nn being the number of ones. 255.31.0.0 = 1111 1111 0000 1111 0000 0000 0000 0000 What you want is 1111 1111 1111 0000 0000 0000 0000 0000 -> /12 if you want it easy, 255.240.0.0 if you like doing binary conversion. > so: is it possible at all? > or do i have to write a loop or all single ip-ranges manually? Not in this case (since you've got an area that fits exactly into a /12). ciao, -- [*Thomas Themel*] While differing widely in the various little bits we know, [extended contact] in our infinite ignorance we are all equal. [info provided in] [*message header*] - Karl Popper
