Linux Security Debian Slax Tiny Core Health

Security

Frugal Install

Encryption

Definitions

Iptables 1
Set Up a Simple Firewall

Iptables 2
Simplify the Setup

Iptables 3
Start the Firewall Automatically

Iptables 4
Change the Policy to Drop

Iptables 5
Logging

Iptables 6
Add Rules

Iptables 7
IP Address Blocks

Iptables 8
Add Chains

Iptables 9
Change Rules While in Use

Iptables Summary

Graphical Firewalls

Check for Malware

Erase Everything from a Hard Drive

Security Links


Other Links


Contact Details

Iptables 7

IP Address Blocks

If you allow or drop IP addresses one by one, it may not be long before you have a very long list. This can be avoided by allowing or dropping entire blocks of IP addresses.


Binary

The computer writes IP addresses in binary or base two, not decimal or base ten like we use. In binary, 0 is 0 and 1 is 1, but other numbers are different. 2 is written 10, 3 is written 11, 4 is written 100, 5 is written 101, 6 is written 110, 7 is written 111, 8 is written 1000, 9 is written 1001, and so on. All binary numbers are made up of zeros and ones. The computer also puts zeros in front of these numbers.

The lowest possible IP address in computer language is 00000000000000000000000000000000. This is written in a way that is easy for us to understand as 0.0.0.0. The highest possible IP address is 11111111111111111111111111111111, which is written for us as 255.255.255.255. Each IP address in binary form is made up of 32 digits.


IP Address Blocks

Blocks of IP addresses can be designated using the first IP address in the block, followed by a forward slash then a number indicating how many digits of the binary number we are specifying.

The smallest possible IP addresses block has /32 at the end like this 194.117.101.45/32. This tells the computer to use all 32 digits of the binary number, which means it refers to one IP address. There is no need to use /32 in Iptables rules, as you can just use the IP address number.

The second smallest block is written with /31 at the end like this 194.117.103.78/31, which tells the computer to use the first 31 digits of the binary number. The last digit can be 0 or 1. So this refers to a block of two IP addresses, 194.117.103.78 and 194.117.103.79.

The next smallest block is written with /30 at the end, which tells the computer to use the first 30 digits of the binary number. The last two digits can be 00, 01, 10 or 11, which results in a block of four IP addresses. So 195.112.167.20/30 refers to 195.112.167.20 and the next three IP addresses.

If an IP address has /29 at the end, this tells the computer to use the first 29 digits of the binary number, and the last three can be 000, 001, 010, 011, 100, 101, 110 or 111, which results in a block of 8 IP addresses. So 203.98.193.168/29 refers to 203.98.193.168 and the next 7 IP addresses. You can determine the last one by adding 7 to the last number. The last IP address in the block is 203.98.193.175.

You may have noticed, each time the number following the slash is reduced by one, the number of IP addresses in the block doubles.

If an IP address has /28 at the end, the block will have 16 addresses.

If an IP address has /27 at the end, the block will have 32 addresses.

You can keep going, doubling the number of IP addresses each time you reduce the number following the slash by one.


Blocks Must Start with Specific IP Addresses

IP addresses blocks must start with specific IP address numbers. They can't just start with any IP address. The first IP address in the block, must be such that, after the digits specified, the digits at the end of the binary number are all be zero. For example, if you use /28, you specify the first 28 digits of the binary number, and the last four digits must be zero. If you use /14, you specify the first 14 digits of the binary number, and the last 18 digits must be zero.

When determining the first address in a block, it is necessary to determine which human readable IP addresses are equivalent to the binary IP addresses which finish with all zeros.

The first thing to keep in mind is that zero is the same in both binary and decimal.

If you use /31, there are two addresses in each block, so the last number of the first IP address in the block must be a multiple of two, or an even number, such as 0, 2, 4, 6, 8, etc. For example, you can have 142.71.108.0/31, or 142.71.108.2/31, or 142.71.108.4/31, or 142.71.108.6/31, etc.

If you use /30, there are four addresses in each block, so the last number of the first IP address in the block must be a multiple of four, such as 0, 4, 8, 12, 16, etc.

If you use /29, there are eight addresses in each block, so the last number of the first IP address in the block must be a multiple of eight.

If you use /25, there are 128 addresses in each block, so the last number of the first IP address in the block must be a multiple of 128, which actually means it must be either 0 or 128.

When you get to /24, there are 256 addresses in each block, so the last number of the first IP address in the block must be zero. For example, 93.148.107.0/24 refers to all addresses from 93.148.107.0 to 93.148.107.255. The last number cannot be anything other than zero.

With /23, there are 512 addresses in each block, which is 2 x 256, so the third number of the first IP address in the block must be a multiple of two, and the last number must be zero. For example, you can have 72.162.0.0/23, 72.162.2.0/23, 72.162.4.0/23, 72.162.6.0/23, etc.

When you get to /16, the last two numbers of the first IP address in the block must be zero. For example, you can have 118.93.0.0/16, 118.94.0.0/16, 118.95.0.0/16, and so on.

0.0.0.0/0 is the largest possible block, referring to all IP addresses, and must start with 0.0.0.0.


IP Address Blocks

Must Begin WithNumber of IP AddressesFor Last Address Add
xx.xx.xx.xx/32110.0.0.0
xx.xx.xx.2n/31220.0.0.1
xx.xx.xx.4n/30440.0.0.3
xx.xx.xx.8n/29880.0.0.7
xx.xx.xx.16n/2816160.0.0.15
xx.xx.xx.32n/2732320.0.0.31
xx.xx.xx.64n/2664640.0.0.63
xx.xx.xx.128n/251281280.0.0.127
xx.xx.xx.0/242562560.0.0.255
xx.xx.2n.0/23512256x20.0.1.255
xx.xx.4n.0/221024256x40.0.3.255
xx.xx.8n.0/212048256x80.0.7.255
xx.xx.16n.0/204096256x160.0.15.255
xx.xx.32n.0/198192256x320.0.31.255
xx.xx.64n.0/1816384256x640.0.63.255
xx.xx.128n.0/1732768256x1280.0.127.255
xx.xx.0.0/1665536256x2560.0.255.255
xx.2n.0.0/15131072256x256x20.1.255.255
xx.4n.0.0/14262144256x256x40.3.255.255
xx.8n.0.0/13524288256x256x80.7.255.255
xx.16n.0.0/121048576256x256x160.15.255.255
xx.32n.0.0/112097152256x256x320.31.255.255
xx.64n.0.0/104194304256x256x640.63.255.255
xx.128n.0.0/98388608256x256x1280.127.255.255
xx.0.0.0/816777216256x256x2560.255.255.255
2n.0.0.0/733554432256x256x256x21.255.255.255
4n.0.0.0/667108864256x256x256x43.255.255.255
8n.0.0.0/5134217728256x256x256x87.255.255.255
16n.0.0.0/4268435456256x256x256x1615.255.255.255
32n.0.0.0/3536870912256x256x256x3231.255.255.255
64n.0.0.0/21073741824256x256x256x6463.255.255.255
128n.0.0.0/12147483648256x256x256x128127.255.255.255
0.0.0.0/04294967296256x256x256x256255.255.255.255

Note:

xx means any number in an IP address.

2n means a multiple of 2, 4n means a multiple of 4, etc.


Calculating Blocks

Let's imagine you want to drop the following IP addresses using one rule, 60.222.224.131, 60.222.224.132, 60.222.224.133, 60.222.224.134. How do you do it? You have four addresses, so the block must include at least these four. In a block of four, the last number of the first IP address in the block must be a multiple of four. 131 is not a multiple of four, so it is necessary to use a larger block of 8. What is the closest IP address proceeding these IP addresses where the last number is a multiple of 8. It is 60.222.224.128. The last number - 128 is a multiple of 8. So you could use 60.222.224.128/29. This would include the four you want to drop, three proceeding them and one following them. All addresses from 60.222.224.128 to 60.222.224.135.

If you did not want to drop those proceeding and following them, you could either drop those you want to drop with separate rules, or drop them as a block, but have rules prior to this rule allowing the others.


Country Blocks

If you look on the internet, you can find out where these IP addresses are. These particular IP addresses are in China, part of a much larger block 60.208.0.0/12.

If you understand Chinese, and are likely to want to access other IP addresses in this block, you may just drop these few IP addresses.

If you don't understand Chinese, and are unlikely to want to access any IP addresses within this block, you can drop the entire block 60.208.0.0/12.

There are other options. For example, you could have a rule allowing some addresses from this block, before the rule dropping the block.

Before dropping IP address blocks, find out where they are. If they are in a place where you are likely to access other things, drop only the IP addresses you are concerned about. If they are in a place where you will not want to access anything, drop the entire block.

This is only one IP address block in one small part of China. There are several hundred different IP address blocks in China. Countries where large numbers of people access the internet, have many IP address blocks. Countries with a small population, or where only a few people access the internet, have only a small number of IP address blocks.


Getting Country IP Address Blocks

You can look on the internet to find country IP address blocks. A good site for this is:

http://software77.net/cgi-bin/ip-country/multi-lookup.pl.

With many other sites you can only enter one IP address at at time. If you have a lot of IP addresses this may be very time consuming. With this site you can copy and paste a list of up to 400 IP addresses at once, and you will get a list telling you what country each IP address is in, and the particular block. You need to click on the square proceeding "CIDR Format." You can then copy and paste this list back to your computer. Be aware, if your list includes more than one IP address from the same block, the output will only show one of them.

You can also download the entire list of all IP address blocks in the world.


Combining Country Blocks

You may find you want to drop consecutive blocks. You can combine these into single rules. For example, you may want to drop 118.160.0.0/13, 118.168.0.0/14 and 118.172.0.0/14. One rule can include all these. In this case you would use 118.160.0.0/12.


Iptables Rules

To drop blocks, add rules to Iptables. Following are examples.

iptables -A INPUT -s 203.194.0.0/18 -j DROP
iptables -A INPUT -s 60.208.0.0/12 -j DROP
iptables -A INPUT -s 202.96.0.0/12 -j DROP
iptables -A INPUT -s 60.0.0.0/11 -j DROP
iptables -A INPUT -s 222.192.0.0/11 -j DROP
iptables -A INPUT -s 203.193.128.0/18 -j DROP

To allow blocks, use ALLOW instead of DROP.

To add rules to the OUTPUT chain, replace INPUT with OUTPUT, and -s for source with -d for destination.


Private IP Address Blocks

The following IP address blocks are reserved for private networks. You should not receive anything from these IP addresses over the internet. However, sometimes you do. Hackers may use these IP addresses in an attempt to exploit potential vulnerabilities in computers. Your computer is more secure if you drop everything from these IP address.

iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j DROP

< Iptables 6 Add Rules

Iptables 8 Add Chains >

© Copyright Guy Shipard 2008 - 2009