How to block IPs by generating range?

Question

I have a lot of DDOS attacks lately and given only the attackers IP.

I want to block them via IPtables. Every time the range of IPs is the same but the actual IPs are different.

How can I create the proper range of IPs so I can block them via firewall while I do not know the netmask?

These days there are very clever attacks spread over entire ranges of IP addresses. What I do is: Lookup the source country for the IP, then lookup the overall subnet, then block that whole sub-net, as per Maythux's answer below. I do not care about collateral damage. More recently, I don't even bother looking up the country, I just go directly to the China or Hong Kong list. There are many sources, I use: http://freegeoip.net/ and http://www.ip2location.com/free/visitor-blocker — Doug Smythies, Jun 17 '15 at 22:05

score 2 · Accepted Answer · answered Jun 17 '15 at 06:23

2

Suppose the range of addresses is 192.168.1.*

To block is 192.168.1.* addresses:

sudo iptables -A INPUT -s is 192.168.1.0/24 -j DROP

To block is 192.168.. addresses:

sudo iptables -A INPUT -s 192.168.0.0/16 -j DROP

To block 192...* addresses:

sudo iptables -A INPUT -s 192.0.0.0/8 -j DROP

But you have to notice this will also block legitimate traffic from the same range

answered Jun 17 '15 at 06:23

Maythux

thank you ! now i understand a bit better the concept of sub netting – Vitalik Jimbei Jun 17 '15 at 06:41

score 0 · Answer 2 · edited Aug 22 '17 at 18:57

0

You can also automate for unknown ip ranges, it by setting limits:

sudo iptables -A INPUT -m limit --limit 50/minute --limit-burst 200 -j ACCEPT

-m limit: This uses the limit iptables extension
–limit 50/minute: This limits only maximum of 50 connection per minute.
–limit-burst 200: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

edited Aug 22 '17 at 18:57

Panther

answered Jun 17 '15 at 07:10

aldwinaldwin

could you please explain the rule for me please ? i'm new to all this and not sure i follow you.
if i run a vpn protocol for my office won't this affect the connection for my colleagues ?
– Vitalik Jimbei Jun 17 '15 at 08:26
edited: please double check the info. As far as i understand, only if more than 200 connections are established, the 50/min limit will get enforced. – aldwinaldwin Jun 17 '15 at 08:42
basically the rule says you can have 50 incoming connection per minute. all other will be dropped ? what does limit burst does then ? – Vitalik Jimbei Jun 17 '15 at 12:08
if you have more than 200 connections (limit-burst) then ... the ip's that try to connect more than 50 times per minute will be dropped – aldwinaldwin Jun 17 '15 at 12:11
i re-read your description again, now all clear. thank you , you've been very helpful ! – Vitalik Jimbei Jun 17 '15 at 12:22
you're welcome. look at the bodhizazen.net for some DOS simulation with ab to test your settings. I just wanted to let you know something like this exist. Google around (iptables ddos prevention) and you'll find more of those settings. – aldwinaldwin Jun 17 '15 at 12:29

2 Answers2