Blocking addresses in iptables
This is a note about setting up rules for blocking access on port 22 to
addresses in, say, the Asia/Pacific region; since I don't live in that area, nor
do I have any friends there, there's no reason anyone from those addresses should be
allowed to SSH into the box.
<![CDATA[
-A INPUT -s 200.0.0.0/8 -j DROP
-A INPUT -s 202.0.0.0/8 -j DROP
-A INPUT -s 210.0.0.0/8 -j DROP
-A INPUT -s 211.0.0.0/8 -j DROP
-A INPUT -s 212.0.0.0/8 -j DROP
-A INPUT -s 221.0.0.0/8 -j DROP
-A INPUT -s 222.0.0.0/8 -j DROP
]]>
The above will block ALL traffic from those address ranges, including http and mail,
which isn't what I really want. So, make sure you only block port 22 with the above,
perhaps something like this:
-A INPUT -p tcp -m tcp --dport 22 -s 212.0.0.0/8 -j DROP
The list of IP address ranges for Asia/Pacific, according to
APNIC is this:
<![CDATA[
58.0.0.0/7
60.0.0.0/7
124.0.0.0/7
126.0.0.0/8
169.208.0.0/12
196.192.0.0/13
202.0.0.0/7*
210.0.0.0/7
218.0.0.0/7
220.0.0.0/7
222.0.0.0/8
]]>
03/23/2005