Mailing List Archive: can this be written as one rule ?

can this be written as one rule ?

Jul 1, 2007, 8:01 AM

Post #1 of 4 (2466 views)

> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.124.176.0/20 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.124.32.0/20 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.127.64.0/17 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.128.94.0/24 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.130.126.128/26 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.132.194.0/24 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.139.164.0/24 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.139.198.0/24 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.141.9.0/24 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.142.125.0/24 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.142.3.128/25 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.145.21.128/25 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.146.201.0/24 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.152.32.0/24 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.153.78.0/24 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.153.98.0/24 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.155.196.0/25 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.158.66.128/25 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.16.0.0/13 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.224.0.0/12 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.24.0.0/14 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.254.15.0/24 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.32.0.0/14 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.36.0.0/16 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.36.64.0/18 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.51.0.0/16 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.54.208.0/20 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.54.224.0/20 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.55.128.0/20 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.55.144.0/20 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.55.160.0/20 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.55.64.0/20 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.68.0.0/14 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.88.32.0/20 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.88.64.0/20 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.96.0.0/15 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 122.0.128.0/17 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 122.100.48.0/20 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 122.169.0.0/19 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 122.169.100.0/23 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 122.199.106.0/22 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 122.199.90.0/23 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 122.2.0.0/15 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 122.202.128.0/17 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 122.254.128.0/17 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 122.32.0.0/12 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_I

And so on ?

Re: can this be written as one rule ? [ In reply to ]

sfrost at snowman

Jul 1, 2007, 8:04 AM

Post #2 of 4 (2373 views)

Permalink

* U. George (netbeans@gatworks.com) wrote:
>> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.124.176.0/20 -j DROP
>
> And so on ?

You can (ab)use ipt_recent to do it. There might be other ways but the
gist of it would be to build an ipt_recent table with those addresses at
boot and then reference it using an --rcheck or similar.

Enjoy,

Stephen

Re: can this be written as one rule ? [ In reply to ]

xktnniuymlla at mailinator

Jul 1, 2007, 9:42 AM

Post #3 of 4 (2372 views)

Permalink

U. George wrote:
>> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.124.176.0/20 -j DROP
>> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.124.32.0/20 -j DROP
>> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.127.64.0/17 -j DROP
<snip />
>> And so on ?
>
You could use ipset:
http://ipset.netfilter.org

Once a set of type nethash has been created and populated its usage is
very simple. e.g. To test whether a source|destination address is in a
nethash set named BADNETS use:

iptables -A INPUT -m set --set BADNETS src|dst -j NETHANDLER

Not sure if this extension is in the kernel yet but it's relatively easy
to add by following the instructions at their website.

:m)

Re: can this be written as one rule ? [ In reply to ]

clist at uah

Jul 2, 2007, 1:03 PM

Post #4 of 4 (2350 views)

Permalink

Did you try ipsets?

Just create a ipset populate it and then

i$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -m set --set $IPSET src -j DROP

et voila!!
Just try this:
http://ipset.netfilter.org/

or dig on the netfilter home page

Regards,
El Domingo, 1 de Julio de 2007 17:01, U. George escribió:
> > $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.124.176.0/20 -j DROP
> > $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.124.32.0/20 -j DROP
> > $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.127.64.0/17 -j DROP
> > $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.128.94.0/24 -j DROP
> > $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.130.126.128/26 -j
> > DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.132.194.0/24 -j
> > DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.139.164.0/24 -j
> > DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.139.198.0/24 -j
> > DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.141.9.0/24 -j
> > DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.142.125.0/24 -j
> > DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.142.3.128/25 -j
> > DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.145.21.128/25
> > -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.146.201.0/24
> > -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.152.32.0/24
> > -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.153.78.0/24
> > -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.153.98.0/24
> > -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.155.196.0/25
> > -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.158.66.128/25 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE
> > -s 121.16.0.0/13 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.224.0.0/12 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.24.0.0/14 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.254.15.0/24 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.32.0.0/14 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.36.0.0/16 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.36.64.0/18 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.51.0.0/16 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.54.208.0/20 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.54.224.0/20 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.55.128.0/20 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.55.144.0/20 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.55.160.0/20 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.55.64.0/20 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.68.0.0/14 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.88.32.0/20 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.88.64.0/20 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 121.96.0.0/15 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 122.0.128.0/17 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 122.100.48.0/20 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 122.169.0.0/19 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 122.169.100.0/23 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 122.199.106.0/22 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 122.199.90.0/23 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 122.2.0.0/15 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 122.202.128.0/17 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 122.254.128.0/17 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s
> > 122.32.0.0/12 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_I
>
> And so on ?

--
----------------------------
Universidad de Alcalá (UAH)
----------------------------

Mailing List Archive

Mailing List Archive

Attached Files: