I think this is what you are looking for: CLASS_B="172.16.0.0/12" $IPT -t filter -A SPOOFING_RULES -i $FW_INET_IFACE -s $CLASS_B -j LOG --log-level $LOG_LEVEL --log-prefix "IP SPOOFING ATTEMPT: " $IPT -t filter -A SPOOFING_RULES -i $FW_INET_IFACE -s $CLASS_B -j DROP -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Thomas Themel Sent: Wednesday, November 05, 2003 1:42 PM To: Bewerbungsadresse@xxxxxx Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: IP-Range and Subnetmask bewerbungsadresse@xxxxxx wrote on 2003-11-05: > is it possible to prevent spoofing attacks to 172.16.0.0-172.31.255.255 > something like that > iptables -A INPUT -p tcp -s 172.16.0.0/255.31.0.0 -d $INET_IP -i ppp0 -j > SPOOFED > > but i think the rule above is wrong It is. Netmasks are comprised of a sequence of 0..* ones followed by a sequence of 0..* zeroes, which is why you can write them as /nn, nn being the number of ones. 255.31.0.0 = 1111 1111 0000 1111 0000 0000 0000 0000 What you want is 1111 1111 1111 0000 0000 0000 0000 0000 -> /12 if you want it easy, 255.240.0.0 if you like doing binary conversion. > so: is it possible at all? > or do i have to write a loop or all single ip-ranges manually? Not in this case (since you've got an area that fits exactly into a /12). ciao, -- [*Thomas Themel*] While differing widely in the various little bits we know, [extended contact] in our infinite ignorance we are all equal. [info provided in] [*message header*] - Karl Popper
