Re: Blocking sub-range of IP addresses
It would be useful to have something that would take an IP address range and return the minimum coverage CIDR for that block (for use in feeding to iptables). For those addicted to command line (gipsc needs gnome), try netmask : #netmask -c 192.168.10.224:192.168.10.255 192.168.10.224/27 #netmask -c 192.168.10.23:192.168.10.55 192.168.10.23/32 192.168.10.24/29 192.168.10.32/28 192.168.10.48/29 #netmask -r 192.168.10.48/29 192.168.10.48- 192.168.10.55 -- Guillaume Avez Administrateur Systemes et Reseaux tel. +33 169 07 34 55 mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Blocking sub-range of IP addresses
It would be useful to have something that would take an IP address range and return the minimum coverage CIDR for that block (for use in feeding to iptables). For example, if I want to allow access for hosts 1.2.3.1 - 1.2.3.4, I currently can allow them individually or just allow the entire /24. But is there any easier way to allow ip ranges in iptables, short of doing each individual IP or generalizing to a class boundary? Can ipsc do this easily? Thanks, Josh ... I don't really have that, but attached program gives you the longest common prefix for a few ip's. $ ./ipnumber -p 192.168.93.3 192.168.93.2 192.168.93.1 192.168.93.0/30 (255.255.255.252) $ ./ipnumber -p 192.168.90.3 192.168.2.28 192.168.0.0/17 (255.255.128.0) Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Networks S-742 94 Östhammar +46 173 140 57 Computers Sweden +46 70 511 97 84 Consulting --- /** Copyright: Karl Hammar, Aspö Data ** Copyright terms: GPL **/ #include arpa/inet.h #include ctype.h #include errno.h #include netinet/in.h #include stdio.h #include stdlib.h #include string.h #include unistd.h /* int function return value: 0 == SUCCESS, else error */ /* * Ip numbers (or addresses, same thing differnet names) * are just 32 bit unsigned integers * the numbers we are used to (e.g. 192.168.1.3) * are only a way to present thoose ip numbers for humans. * That format is called dotted quad, since it consists of * four (quad) numbers with dots between. * * Theese two routinges convert between the human and computer * way of seeing the ip numbers */ int dot2num( char *dotted_quad, uint32_t *num); /* len is length of dotted_quad buffer. * len = INET_ADDRSTRLEN, see man inet_ntop */ int num2dot( uint32_t num, char *dotted_quad, size_t len); /* convert so can print/read binary numbers, sorry printf/scanf don't do this */ int str2num( char *str, uint32_t *num, char **ptr); /* the buffers length (len) must be at least 33 characters long (32 digits + one '\0') */ int num2str( uint32_t num, char *buffer, size_t buflen); /* to help routers, ip numbers are split in two parts: the first is a network prefix and the latter is computer (or host, well actually interface) number on that network It works like ip_address = network_number + computer_number_on_that_network You can compare it to a memory buffer, address (aka. ip number) = buffer_pointer (aka. network) + offset (aka. host number on that network) This helps routers since they don't have to store routes to all hosts they only have to keep records of networks. Also network is not necceserely the same thing as a LAN. Network is just all computers with some common top bits in their ip numbers (note: common top bits i.e. ALL bits before the split, and remember ip numbers is a simple unsigned integer) that you can reach if you go along a given route. Subnetting is really that simple! But the dotted quad format makes it hard see and understand. Why -- because the dot makes the split between network and host part hard to see. By counting number of bits in the prefix we get the prefix length, which is the same number as used in the cidr notation. Public example: hostnameip number as binary www.ibm.com 129.42.17.99 100100101011000101100011 www.ge.com 216.74.139.56 1101110010101000101100111000 common prefix 1 prefix length 1 Local example: calcit 192.168.93.1 11001010110111010001 hematit 192.168.93.2 11001010110111010010 granat 192.168.93.37 110010101101110100100101 common prefix 110010101101110100 prefix length 26 The bit positions where the prefix is, are called network bits, and the others (representing the host part) are called the host bits. The ip number with address 0 on a network is called the network address and it is that number which goes into the routing table along with the prefix length. Another related number is the broadcast address. It is useful on a ethernet LAN. The broadcast address is by convention the last address of a network. The network address is only meaningful for routing, i.e. in the IP-layer, and the broadcast address have the same meaning as the ip number. A given host accept packets to that address as destined to itself and have no meaning besides that and that all hosts on a given physical (or end) network should have the same broadcast address so you easily can address them all. So, the broadcast address do not have a meaning for all networks. To tell the world about a network, we use the network address (or any address on the same network, since they have the same
Re: Blocking sub-range of IP addresses
Actually, the previous post's usage of netmask would
probably do the trick:
[EMAIL PROTECTED]:~$ netmask -c 1.2.3.1:1.2.3.4
1.2.3.1/32
1.2.3.2/31
1.2.3.4/32
so, e.g.:
for hostmask in `netmask -c 1.2.3.1:1.2.3.4`; do
iptables -A INPUT -s $hostmask -d `ifconfig eth0 |
grep 'inet addr' | awk '{print $2}' | cut -d: -f2` -p
tcp --dport 22 -j ACCEPT; done
would work nicely. Actually, this may make a nice
module for netfilter in the kernel for ipv4. That is,
being able to specify a contiguous IP block to
iptables and have it do the internal calculations that
netmask -c is doing. Something like:
iptables -m ip_block -A INPUT -s 1.2.3.1:1.2.3.4 -d
...
Would be really cool.
Anyway, thanks for the suggestions all!
Josh
--- Karl Hammar [EMAIL PROTECTED] wrote:
It would be useful to have something that would
take
an IP address range and return the minimum
coverage
CIDR for that block (for use in feeding to
iptables).
For example, if I want to allow access for hosts
1.2.3.1 - 1.2.3.4, I currently can allow them
individually or just allow the entire /24. But is
there any easier way to allow ip ranges in
iptables,
short of doing each individual IP or generalizing
to a
class boundary? Can ipsc do this easily?
Thanks,
Josh
...
I don't really have that, but attached program
gives you the longest
common prefix for a few ip's.
$ ./ipnumber -p 192.168.93.3 192.168.93.2
192.168.93.1
192.168.93.0/30 (255.255.255.252)
$ ./ipnumber -p 192.168.90.3 192.168.2.28
192.168.0.0/17 (255.255.128.0)
Regards,
/Karl
---
Karl HammarAspö Data
[EMAIL PROTECTED]
Lilla Aspö 2340
Networks
S-742 94 Östhammar +46 173 140 57
Computers
Sweden +46 70 511 97 84
Consulting
---
/** Copyright: Karl Hammar, Aspö Data
** Copyright terms: GPL
**/
#include arpa/inet.h
#include ctype.h
#include errno.h
#include netinet/in.h
#include stdio.h
#include stdlib.h
#include string.h
#include unistd.h
/* int function return value: 0 == SUCCESS, else
error */
/*
* Ip numbers (or addresses, same thing differnet
names)
* are just 32 bit unsigned integers
* the numbers we are used to (e.g. 192.168.1.3)
* are only a way to present thoose ip numbers for
humans.
* That format is called dotted quad, since it
consists of
* four (quad) numbers with dots between.
*
* Theese two routinges convert between the human
and computer
* way of seeing the ip numbers
*/
int dot2num( char *dotted_quad, uint32_t *num);
/* len is length of dotted_quad buffer.
* len = INET_ADDRSTRLEN, see man inet_ntop
*/
int num2dot( uint32_t num, char *dotted_quad,
size_t len);
/* convert so can print/read binary numbers, sorry
printf/scanf don't do this */
int str2num( char *str, uint32_t *num, char **ptr);
/* the buffers length (len) must be at least 33
characters long (32 digits + one '\0') */
int num2str( uint32_t num, char *buffer, size_t
buflen);
/*
to help routers, ip numbers are split in two parts:
the first is a network prefix and
the latter is computer (or host, well actually
interface) number on that network
It works like ip_address = network_number +
computer_number_on_that_network
You can compare it to a memory buffer, address (aka.
ip number) = buffer_pointer (aka. network) + offset
(aka. host number on that network)
This helps routers since they don't have to store
routes to all hosts
they only have to keep records of networks.
Also network is not necceserely the same thing as
a LAN.
Network is just all computers with some common top
bits in their ip numbers
(note: common top bits i.e. ALL bits before the
split, and
remember ip numbers is a simple unsigned integer)
that you can reach if you go along a given route.
Subnetting is really that simple!
But the dotted quad format makes it hard see and
understand.
Why -- because the dot makes the split between
network and host part hard to see.
By counting number of bits in the prefix we get the
prefix length,
which is the same number as used in the cidr
notation.
Public example:
hostnameip number as binary
www.ibm.com 129.42.17.99
100100101011000101100011
www.ge.com 216.74.139.56
1101110010101000101100111000
common prefix 1
prefix length 1
Local example:
calcit 192.168.93.1
11001010110111010001
hematit 192.168.93.2
11001010110111010010
granat 192.168.93.37
110010101101110100100101
common prefix
110010101101110100
prefix length 26
The bit positions where the prefix is, are called
network bits,
Re: Blocking sub-range of IP addresses
It would be useful to have something that would take an IP address range and return the minimum coverage CIDR for that block (for use in feeding to iptables). For those addicted to command line (gipsc needs gnome), try netmask : #netmask -c 192.168.10.224:192.168.10.255 192.168.10.224/27 #netmask -c 192.168.10.23:192.168.10.55 192.168.10.23/32 192.168.10.24/29 192.168.10.32/28 192.168.10.48/29 #netmask -r 192.168.10.48/29 192.168.10.48- 192.168.10.55 -- Guillaume Avez Administrateur Systemes et Reseaux tel. +33 169 07 34 55 mailto:[EMAIL PROTECTED]
Re: Blocking sub-range of IP addresses
It would be useful to have something that would take an IP address range and return the minimum coverage CIDR for that block (for use in feeding to iptables). For example, if I want to allow access for hosts 1.2.3.1 - 1.2.3.4, I currently can allow them individually or just allow the entire /24. But is there any easier way to allow ip ranges in iptables, short of doing each individual IP or generalizing to a class boundary? Can ipsc do this easily? Thanks, Josh ... I don't really have that, but attached program gives you the longest common prefix for a few ip's. $ ./ipnumber -p 192.168.93.3 192.168.93.2 192.168.93.1 192.168.93.0/30 (255.255.255.252) $ ./ipnumber -p 192.168.90.3 192.168.2.28 192.168.0.0/17 (255.255.128.0) Regards, /Karl --- Karl HammarAspö Data [EMAIL PROTECTED] Lilla Aspö 2340Networks S-742 94 Östhammar +46 173 140 57 Computers Sweden +46 70 511 97 84 Consulting --- /** Copyright: Karl Hammar, Aspö Data ** Copyright terms: GPL **/ #include arpa/inet.h #include ctype.h #include errno.h #include netinet/in.h #include stdio.h #include stdlib.h #include string.h #include unistd.h /* int function return value: 0 == SUCCESS, else error */ /* * Ip numbers (or addresses, same thing differnet names) * are just 32 bit unsigned integers * the numbers we are used to (e.g. 192.168.1.3) * are only a way to present thoose ip numbers for humans. * That format is called dotted quad, since it consists of * four (quad) numbers with dots between. * * Theese two routinges convert between the human and computer * way of seeing the ip numbers */ int dot2num( char *dotted_quad, uint32_t *num); /* len is length of dotted_quad buffer. * len = INET_ADDRSTRLEN, see man inet_ntop */ int num2dot( uint32_t num, char *dotted_quad, size_t len); /* convert so can print/read binary numbers, sorry printf/scanf don't do this */ int str2num( char *str, uint32_t *num, char **ptr); /* the buffers length (len) must be at least 33 characters long (32 digits + one '\0') */ int num2str( uint32_t num, char *buffer, size_t buflen); /* to help routers, ip numbers are split in two parts: the first is a network prefix and the latter is computer (or host, well actually interface) number on that network It works like ip_address = network_number + computer_number_on_that_network You can compare it to a memory buffer, address (aka. ip number) = buffer_pointer (aka. network) + offset (aka. host number on that network) This helps routers since they don't have to store routes to all hosts they only have to keep records of networks. Also network is not necceserely the same thing as a LAN. Network is just all computers with some common top bits in their ip numbers (note: common top bits i.e. ALL bits before the split, and remember ip numbers is a simple unsigned integer) that you can reach if you go along a given route. Subnetting is really that simple! But the dotted quad format makes it hard see and understand. Why -- because the dot makes the split between network and host part hard to see. By counting number of bits in the prefix we get the prefix length, which is the same number as used in the cidr notation. Public example: hostnameip number as binary www.ibm.com 129.42.17.99 100100101011000101100011 www.ge.com 216.74.139.56 1101110010101000101100111000 common prefix 1 prefix length 1 Local example: calcit 192.168.93.1 11001010110111010001 hematit 192.168.93.2 11001010110111010010 granat 192.168.93.37 110010101101110100100101 common prefix 110010101101110100 prefix length 26 The bit positions where the prefix is, are called network bits, and the others (representing the host part) are called the host bits. The ip number with address 0 on a network is called the network address and it is that number which goes into the routing table along with the prefix length. Another related number is the broadcast address. It is useful on a ethernet LAN. The broadcast address is by convention the last address of a network. The network address is only meaningful for routing, i.e. in the IP-layer, and the broadcast address have the same meaning as the ip number. A given host accept packets to that address as destined to itself and have no meaning besides that and that all hosts on a given physical (or end) network should have the same broadcast address so you easily can address them all. So, the broadcast address do not have a meaning for all networks. To tell the world about a network, we use the network address (or any address on the same network, since they have the same
Re: Blocking sub-range of IP addresses
Actually, the previous post's usage of netmask would
probably do the trick:
[EMAIL PROTECTED]:~$ netmask -c 1.2.3.1:1.2.3.4
1.2.3.1/32
1.2.3.2/31
1.2.3.4/32
so, e.g.:
for hostmask in `netmask -c 1.2.3.1:1.2.3.4`; do
iptables -A INPUT -s $hostmask -d `ifconfig eth0 |
grep 'inet addr' | awk '{print $2}' | cut -d: -f2` -p
tcp --dport 22 -j ACCEPT; done
would work nicely. Actually, this may make a nice
module for netfilter in the kernel for ipv4. That is,
being able to specify a contiguous IP block to
iptables and have it do the internal calculations that
netmask -c is doing. Something like:
iptables -m ip_block -A INPUT -s 1.2.3.1:1.2.3.4 -d
...
Would be really cool.
Anyway, thanks for the suggestions all!
Josh
--- Karl Hammar [EMAIL PROTECTED] wrote:
It would be useful to have something that would
take
an IP address range and return the minimum
coverage
CIDR for that block (for use in feeding to
iptables).
For example, if I want to allow access for hosts
1.2.3.1 - 1.2.3.4, I currently can allow them
individually or just allow the entire /24. But is
there any easier way to allow ip ranges in
iptables,
short of doing each individual IP or generalizing
to a
class boundary? Can ipsc do this easily?
Thanks,
Josh
...
I don't really have that, but attached program
gives you the longest
common prefix for a few ip's.
$ ./ipnumber -p 192.168.93.3 192.168.93.2
192.168.93.1
192.168.93.0/30 (255.255.255.252)
$ ./ipnumber -p 192.168.90.3 192.168.2.28
192.168.0.0/17 (255.255.128.0)
Regards,
/Karl
---
Karl HammarAspö Data
[EMAIL PROTECTED]
Lilla Aspö 2340
Networks
S-742 94 Östhammar +46 173 140 57
Computers
Sweden +46 70 511 97 84
Consulting
---
/** Copyright: Karl Hammar, Aspö Data
** Copyright terms: GPL
**/
#include arpa/inet.h
#include ctype.h
#include errno.h
#include netinet/in.h
#include stdio.h
#include stdlib.h
#include string.h
#include unistd.h
/* int function return value: 0 == SUCCESS, else
error */
/*
* Ip numbers (or addresses, same thing differnet
names)
* are just 32 bit unsigned integers
* the numbers we are used to (e.g. 192.168.1.3)
* are only a way to present thoose ip numbers for
humans.
* That format is called dotted quad, since it
consists of
* four (quad) numbers with dots between.
*
* Theese two routinges convert between the human
and computer
* way of seeing the ip numbers
*/
int dot2num( char *dotted_quad, uint32_t *num);
/* len is length of dotted_quad buffer.
* len = INET_ADDRSTRLEN, see man inet_ntop
*/
int num2dot( uint32_t num, char *dotted_quad,
size_t len);
/* convert so can print/read binary numbers, sorry
printf/scanf don't do this */
int str2num( char *str, uint32_t *num, char **ptr);
/* the buffers length (len) must be at least 33
characters long (32 digits + one '\0') */
int num2str( uint32_t num, char *buffer, size_t
buflen);
/*
to help routers, ip numbers are split in two parts:
the first is a network prefix and
the latter is computer (or host, well actually
interface) number on that network
It works like ip_address = network_number +
computer_number_on_that_network
You can compare it to a memory buffer, address (aka.
ip number) = buffer_pointer (aka. network) + offset
(aka. host number on that network)
This helps routers since they don't have to store
routes to all hosts
they only have to keep records of networks.
Also network is not necceserely the same thing as
a LAN.
Network is just all computers with some common top
bits in their ip numbers
(note: common top bits i.e. ALL bits before the
split, and
remember ip numbers is a simple unsigned integer)
that you can reach if you go along a given route.
Subnetting is really that simple!
But the dotted quad format makes it hard see and
understand.
Why -- because the dot makes the split between
network and host part hard to see.
By counting number of bits in the prefix we get the
prefix length,
which is the same number as used in the cidr
notation.
Public example:
hostnameip number as binary
www.ibm.com 129.42.17.99
100100101011000101100011
www.ge.com 216.74.139.56
1101110010101000101100111000
common prefix 1
prefix length 1
Local example:
calcit 192.168.93.1
11001010110111010001
hematit 192.168.93.2
11001010110111010010
granat 192.168.93.37
110010101101110100100101
common prefix
110010101101110100
prefix length 26
The bit positions where the prefix is, are called
network bits,
Re: Blocking sub-range of IP addresses
On 2003/03/11 02:12:12PM -0600, Tue, Bill wrote: Hello Debian, I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 apt-get install gipsc gipsc will do all the math for you /27 is cidr notation for a 255.255.255.224 netmask, meaning 63.148.99.224-255 pgp0.pgp Description: PGP signature
Re: Blocking sub-range of IP addresses
http://www.ralphb.net/IPSubnet/class_a.html That is a page I use whenever I need to do anything with subnets. It explains that the /27 subnet has 30 hosts. So if you only wanted to block hosts X.Y.Z.23 - X.Y.Z.55 I would do everything under 64.. otherwise you get into defining multiple subnets so you would block X.Y.Z.64/27 - Original Message - From: Bill [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 1:12 PM Subject: Blocking sub-range of IP addresses Hello Debian, I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 Thanks P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Blocking sub-range of IP addresses
Bill wrote: Hello Debian, I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 Thanks P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? that is network-address/bits-of-subnetmask for example if you have a class c network: x.y.z.0-x.y.z.255 you have the following: network-address: x.y.z.0 broadcast-address: x.y.z.255 host-addresses: x.y.z.1-254 subnet-mask: 255.255.255.0 - that is ... - 24 ones. taking your example from above: x.y.z.224 - x.y.z.255: 255-224=31 that is (that are 4 bits and the subnet-mask you need is the complement to the full 32 bits: 28 bits) = x.y.z.224/28 speaking of x.y.z.23 - x.y.z.55: there you have a problem because 23 is no network-address, you can do 16-32+32-64 ord 32-64: x.y.z.16 - x.y.z.31: 31-16 = 15 = 111 = 3 bits: x.y.z.16/29 x.y.z.32 - x.y.z.63: 63-32 = 31 = = 4 bits: x.y.z.32/28 you can try google and subnet calculator and probably you will find some helpful javascript or cgi-sites which calculate the numbers above. regards -- \\\ ||| /// _\=/_ ( @ @ )(o o) +oOOo-(_)-oOOo--oOOo-(_)-oOOo--+ | Markus Schabel TGM - Die Schule der Technik www.tgm.ac.at | | IT-Service A-1200 Wien, Wexstrasse 19-23 net.tgm.ac.at | | [EMAIL PROTECTED] Tel.: +43(1)33126/316 | | [EMAIL PROTECTED] Fax.: +43(1)33126/154 | | FSF Associate Member #597, Linux User #259595 (counter.li.org) | |oOOoYet Another Spam Trap: oOOo | | ()oOOo[EMAIL PROTECTED] ( ) oOOo | +\ (( )--\ ( -( )-+ \_) ) /\_) ) / (_/ (_/ Computers are like airconditioners: They stop working properly if you open windows. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Blocking sub-range of IP addresses
Hi Consider each octet of an IP address in turn. Octet:- 256-(2^n(4)).256-(2^n(3)).256-(2^n(2)).256-(2^n(1)) start with n(1), then n(2) and through to n(4). where 0=n(x)=8 and x=1;x=4;x++ and where x increments n(x-1)==8 always. and to get the prefix length /mm =32 - (sum n(x)) Alastair -Original Message- From: Bill [mailto:[EMAIL PROTECTED] Sent: 11 March 2003 20:25 To: [EMAIL PROTECTED] Subject: Blocking sub-range of IP addresses Hello Debian, I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 Thanks P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] The information contained in this message is intended for the addressee only and may contain confidential and/or privileged information. If you are not the addressee, please delete this message and notify the sender; you should not copy or distribute this message or disclose its contents to anyone. Any views or opinions expressed in this message are those of the author and do not necessarily represent those of The Vital International Group or any of its affiliates. No reliance may be placed on this message without written confirmation from an authorised representative of its contents. Registered in England @ Wilsons Corner, 1st Floor, 1-5 Ingrave Road, Brentwood, Essex, CM15 8AP.
Re: Blocking sub-range of IP addresses
On Tue, 11 Mar 2003, Bill wrote: I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... All the numbers after a / define a subnet. For example a /24 subnet contais 256 addresses of which 254 are usable (one for broadcast and one for network). Every time you incriment the number (for example /25) you halve the size of the subnet, hence a /25 subnet has 128 addresses of which 126 are usable. I fyou want to read more I found Rustys networking conepts HOWTO a nice way to break people in http://www.netfilter.org/unreliable-guides/networking-concepts-HOWTO/index.html My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 Thanks P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? if you want to block a specific subnet there are ipcalc scripts out there that will calulate the ip's in a block for you .. if you are unsure of the size of the network segment you just play with the netmask until the addresses come out the way you want them. Nikolai -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Blocking sub-range of IP addresses
This is an excellent guide to understanding IP addresses. http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf shawn Hello Debian, I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 Thanks P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Blocking sub-range of IP addresses
Thanks ian, Your pointer turned out to be most valuable. If anyone else wants to know I found this table most helpful. google search result on:howto CIDR range http://www.obfuscation.org/techs/cidr-conversion-table.html On March 11, 2003 03:51 pm, you wrote: Bill, just a tip, but read up on CIDR. Plenty of good docs out there that explain why it is important and how it works. Trying to explain it all would be fairly long winded. -ian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Blocking sub-range of IP addresses
Bill wrote: I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... Netmasks work using a binary logical AND operation. A few years ago, you would be using something like 255.255.255.224 which is binary ...1110 and would mean this subnet uses all 8 bits of the first number, the second number, the third number and the most significant 3 bits of the fourth number, all four of those numbers being 8-bit unsigned integers. If you count the 1s you will find there are 27 of them in a row. My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 This is the same as deny from 63.148.99.224/255.255.255.224 (is this still legal?), any address will be checked if (W.X.Y.Z) AND (255.255.255.224) is 63.148.99.224. Here, the interesting part is that for any Z between 224 and 255, and for those only, (Z AND 224) will be 224 (binary numbers from 1110 to ). P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? 23 = binary 00010111 55 = binary 00110111 Since those two do not follow the scheme of [same bit]^N[0]^M and [same bit]^N[1]^M, you could not use the short form, you would have to block most of them individually. HTH Frank -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Blocking sub-range of IP addresses
It would be useful to have something that would take an IP address range and return the minimum coverage CIDR for that block (for use in feeding to iptables). For example, if I want to allow access for hosts 1.2.3.1 - 1.2.3.4, I currently can allow them individually or just allow the entire /24. But is there any easier way to allow ip ranges in iptables, short of doing each individual IP or generalizing to a class boundary? Can ipsc do this easily? Thanks, Josh --- Douglas Blood [EMAIL PROTECTED] wrote: http://www.ralphb.net/IPSubnet/class_a.html That is a page I use whenever I need to do anything with subnets. It explains that the /27 subnet has 30 hosts. So if you only wanted to block hosts X.Y.Z.23 - X.Y.Z.55 I would do everything under 64.. otherwise you get into defining multiple subnets so you would block X.Y.Z.64/27 - Original Message - From: Bill [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 1:12 PM Subject: Blocking sub-range of IP addresses Hello Debian, I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 Thanks P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Blocking sub-range of IP addresses
On 2003/03/11 02:12:12PM -0600, Tue, Bill wrote: Hello Debian, I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 apt-get install gipsc gipsc will do all the math for you /27 is cidr notation for a 255.255.255.224 netmask, meaning 63.148.99.224-255 pgpXEn9StBFhJ.pgp Description: PGP signature
Re: Blocking sub-range of IP addresses
http://www.ralphb.net/IPSubnet/class_a.html That is a page I use whenever I need to do anything with subnets. It explains that the /27 subnet has 30 hosts. So if you only wanted to block hosts X.Y.Z.23 - X.Y.Z.55 I would do everything under 64.. otherwise you get into defining multiple subnets so you would block X.Y.Z.64/27 - Original Message - From: Bill [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Tuesday, March 11, 2003 1:12 PM Subject: Blocking sub-range of IP addresses Hello Debian, I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 Thanks P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Blocking sub-range of IP addresses
Bill wrote: Hello Debian, I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 Thanks P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? that is network-address/bits-of-subnetmask for example if you have a class c network: x.y.z.0-x.y.z.255 you have the following: network-address: x.y.z.0 broadcast-address: x.y.z.255 host-addresses: x.y.z.1-254 subnet-mask: 255.255.255.0 - that is ... - 24 ones. taking your example from above: x.y.z.224 - x.y.z.255: 255-224=31 that is (that are 4 bits and the subnet-mask you need is the complement to the full 32 bits: 28 bits) = x.y.z.224/28 speaking of x.y.z.23 - x.y.z.55: there you have a problem because 23 is no network-address, you can do 16-32+32-64 ord 32-64: x.y.z.16 - x.y.z.31: 31-16 = 15 = 111 = 3 bits: x.y.z.16/29 x.y.z.32 - x.y.z.63: 63-32 = 31 = = 4 bits: x.y.z.32/28 you can try google and subnet calculator and probably you will find some helpful javascript or cgi-sites which calculate the numbers above. regards -- \\\ ||| /// _\=/_ ( @ @ )(o o) +oOOo-(_)-oOOo--oOOo-(_)-oOOo--+ | Markus Schabel TGM - Die Schule der Technik www.tgm.ac.at | | IT-Service A-1200 Wien, Wexstrasse 19-23 net.tgm.ac.at | | [EMAIL PROTECTED] Tel.: +43(1)33126/316 | | [EMAIL PROTECTED] Fax.: +43(1)33126/154 | | FSF Associate Member #597, Linux User #259595 (counter.li.org) | |oOOoYet Another Spam Trap: oOOo | | ()oOOo[EMAIL PROTECTED] ( ) oOOo | +\ (( )--\ ( -( )-+ \_) ) /\_) ) / (_/ (_/ Computers are like airconditioners: They stop working properly if you open windows.
RE: Blocking sub-range of IP addresses
Hi Consider each octet of an IP address in turn. Octet:- 256-(2^n(4)).256-(2^n(3)).256-(2^n(2)).256-(2^n(1)) start with n(1), then n(2) and through to n(4). where 0=n(x)=8 and x=1;x=4;x++ and where x increments n(x-1)==8 always. and to get the prefix length /mm =32 - (sum n(x)) Alastair -Original Message- From: Bill [mailto:[EMAIL PROTECTED] Sent: 11 March 2003 20:25 To: debian-security@lists.debian.org Subject: Blocking sub-range of IP addresses Hello Debian, I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 Thanks P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] The information contained in this message is intended for the addressee only and may contain confidential and/or privileged information. If you are not the addressee, please delete this message and notify the sender; you should not copy or distribute this message or disclose its contents to anyone. Any views or opinions expressed in this message are those of the author and do not necessarily represent those of The Vital International Group or any of its affiliates. No reliance may be placed on this message without written confirmation from an authorised representative of its contents. Registered in England @ Wilsons Corner, 1st Floor, 1-5 Ingrave Road, Brentwood, Essex, CM15 8AP.
Re: Blocking sub-range of IP addresses
On Tue, 11 Mar 2003, Bill wrote: I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... All the numbers after a / define a subnet. For example a /24 subnet contais 256 addresses of which 254 are usable (one for broadcast and one for network). Every time you incriment the number (for example /25) you halve the size of the subnet, hence a /25 subnet has 128 addresses of which 126 are usable. I fyou want to read more I found Rustys networking conepts HOWTO a nice way to break people in http://www.netfilter.org/unreliable-guides/networking-concepts-HOWTO/index.html My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 Thanks P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? if you want to block a specific subnet there are ipcalc scripts out there that will calulate the ip's in a block for you .. if you are unsure of the size of the network segment you just play with the netmask until the addresses come out the way you want them. Nikolai
Re: Blocking sub-range of IP addresses
This is an excellent guide to understanding IP addresses. http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf shawn Hello Debian, I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 Thanks P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Blocking sub-range of IP addresses
Thanks ian, Your pointer turned out to be most valuable. If anyone else wants to know I found this table most helpful. google search result on:howto CIDR range http://www.obfuscation.org/techs/cidr-conversion-table.html On March 11, 2003 03:51 pm, you wrote: Bill, just a tip, but read up on CIDR. Plenty of good docs out there that explain why it is important and how it works. Trying to explain it all would be fairly long winded. -ian
Re: Blocking sub-range of IP addresses
Bill wrote: I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... Netmasks work using a binary logical AND operation. A few years ago, you would be using something like 255.255.255.224 which is binary ...1110 and would mean this subnet uses all 8 bits of the first number, the second number, the third number and the most significant 3 bits of the fourth number, all four of those numbers being 8-bit unsigned integers. If you count the 1s you will find there are 27 of them in a row. My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 This is the same as deny from 63.148.99.224/255.255.255.224 (is this still legal?), any address will be checked if (W.X.Y.Z) AND (255.255.255.224) is 63.148.99.224. Here, the interesting part is that for any Z between 224 and 255, and for those only, (Z AND 224) will be 224 (binary numbers from 1110 to ). P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? 23 = binary 00010111 55 = binary 00110111 Since those two do not follow the scheme of [same bit]^N[0]^M and [same bit]^N[1]^M, you could not use the short form, you would have to block most of them individually. HTH Frank
Re: Blocking sub-range of IP addresses
It would be useful to have something that would take an IP address range and return the minimum coverage CIDR for that block (for use in feeding to iptables). For example, if I want to allow access for hosts 1.2.3.1 - 1.2.3.4, I currently can allow them individually or just allow the entire /24. But is there any easier way to allow ip ranges in iptables, short of doing each individual IP or generalizing to a class boundary? Can ipsc do this easily? Thanks, Josh --- Douglas Blood [EMAIL PROTECTED] wrote: http://www.ralphb.net/IPSubnet/class_a.html That is a page I use whenever I need to do anything with subnets. It explains that the /27 subnet has 30 hosts. So if you only wanted to block hosts X.Y.Z.23 - X.Y.Z.55 I would do everything under 64.. otherwise you get into defining multiple subnets so you would block X.Y.Z.64/27 - Original Message - From: Bill [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Tuesday, March 11, 2003 1:12 PM Subject: Blocking sub-range of IP addresses Hello Debian, I want to block all ip's ending in 224 to 255 but not 220 and others searching the net I found I need to add /27 to end of the ip. I understand /8 /16 /24 /32 somewhat but... My question: what makes /27 significant X.Y.Z.224 - X.Y.Z.255 deny from 63.148.99.224/27 Thanks P.s. for example, how would I block only X.Y.Z.23 - X.Y.Z.55 ??? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
