I got a pretty basic question about Iptables, :rolleyes:

How do you allow / disallow an ip range? e. g. 10.0.1.128 - 10.0.1.255
I havnt found a way of doing this using iptables...

Another short one, exactly what is Firestarter? What does it do?

Thanks alot in advance! :D

I love firestarter its a great little firewall and is very easy to use and setup. It also a powerful firewall. I have put my computer in the DMZ and had my friend nail it with everything he had and it held up great you can block ping requests so no one can see your computer etc.

If you get firestarter and I reccomend that you at least try it then get the 9.9 beta release it has more options and I have found that it is stable to and works great. Here is the link to get it http://firestarter.sourceforge.net/

It is really easy to do this with iptables.

example:

iptables -A INPUT -p tcp -s 10.0.0.0/16 -d any/0 -m state --state NEW -j DROP

Ad K.

Hmm okey, first of all i will check firestarter up!

And now to the reply about the ip range thingy, well I seen that kinda stuff before, but that dont really specify my exact range. Altho, It probably is possible doing it with that technique right? But what does the 10.0.0.0/16 mean? The slash stuff determines the range right? But what? And how to get it to other ranges?

For example how would u write this?
10.0.0.128 to 10.0.0.256

Thanks for the reply! :D

well wait a second here...

This is a completely valid line of code for iptables, however it does not cover the range you want.

iptables -A INPUT -p tcp -s 10.0.0.0/16 -d any/0 -m state --state NEW -j DROP

It's all about subnetting. You need to understand some basics behind this concept before you can reall y get going with iptables, because it just makes your life easier. Anywho, the 10.0.0.0/16 means that it is a 16-bit subnet, which has a 255.255.0.0 subnet mask. According to subnetting rules, that would include the addresses 10.0.0.0 to 10.0.255.255. That code covers a large 16-bit subnet...not what you need.

You need the second half of a 24-bit subnet from what I gather. That is from 10.0.0.128 to 10.0.0.256, which would come out to 10.0.0.128/25. In this case, you just bump up the subnet mask one bit, and it covers that specific range. The slash in the notation just means that number denotes the subnet mask. The address before the slash is the network address.

that line in iptables could just be modified then, and you should be good. *pretty sure* Then again, this is coming from a person that writes up Cisco ACLs all day, and linux has its differences...

iptables -A INPUT -p tcp -s 10.0.0.128/25 -d any/0 -m state --state NEW -j DROP

If you don't want to learn right now, thats ok. everyone else learned for you! just google for a subnet calculator like this one and give it a whirl.

http://www.telusplanet.net/public/sparkman/netcalc.htm



Learn to *think* in binary and subnetting gets easy.