As an owner of several web servers, it seems like everyday is an ongoing battle to protect those servers from hackers. From a quick look of my log files, it appears that the majority of attempted breakins are coming from China. For example, today’s log files were showing attempted breakins from the IP address 220.127.116.11. Yesterday’s logs showed attempts for IP address 18.104.22.168. Digging a little deeper in my logs I have seen attacks from similar IP addresses on the same network. So, instead of blocking individual IP addresses one at a time, I have decided to begin (continue) blocking entire IP ranges. Now, most websites will tell you to use the “.htaccess” file in your web server to prevent attacks. But, this only blocks connections at the web server level. Instead, I prefer blocking connections at the firewall level using iptables (and other undisclosed techniques). So, today I want to share with you some of the commands I use for blocking entire IP address ranges using iptables.
To begin with, if you aren’t familiar with iptables, there are plenty of websites out there that can explain it. So, do a quick Google search and you’ll find all kinds of great explanations. Once you know what iptables is and how to use it, come back here and see how to block IP ranges and even entire subnets.
In the example above from today’s log files, I want to block all IP addresses that begin with “222.222.222” and end with anything from 13 – 37.
# iptables -I INPUT -m iprange –src-range 22.214.171.124-126.96.36.199 -j DROP
If I wanted to block all IP addresses ranging from 1 – 255, I could use this:
# iptables -I INPUT -m iprange –src-range 188.8.131.52-184.108.40.206 -j DROP
Instead of blocking IP ranges, I could instead choose to block entire subnets. Even though that last command would indeed block the entire “222.222.222.*” subnet, I could instead use the following:
# iptables -I INPUT -s 220.127.116.11/24 -j DROP
If I was getting breakin attemps from subnets other than “222.222.222” such as “222.222.223” and wanted to block all subnets of “222.222.*“, I could use this:
# iptables -I INPUT -s 18.104.22.168/16 -j DROP
If I wanted to take it even higher and block all IP addresses that begin with “222“, I could use this:
# iptables -I INPUT -s 22.214.171.124/8 -j DROP
You’ll notice that I’m using the “-I” (upper case i) parameter in all of the commands. Using this will tell iptables to insert the rule at the top of the chain whereas the “-A” parameter will append the rule to the end of the chain. Unless otherwise specifically required, I would suggest always inserting your “DROP” rules at the top of the chain just in case you have any “ACCEPT” rules further down the chain such as rules for preventing DDoS attacks. Otherwise, if you have your “ACCEPT” rules before your “DROP” rules, connections will fall into the “ACCEPT” rule first leaving your “DROP” rules worthless.
Here is a quick cheat sheet for blocking subnets:
126.96.36.199/24 blocks 222.222.222.*
188.8.131.52/16 blocks 222.222.*.*
184.108.40.206/8 blocks 222.*.*.*
PayPal will open in a new tab.