0

Is there any way to get the network IP of a particular ISP so that I can allow/block the entire network behind that IP using iptables.

AliGibbs
  • 2,323
  • 21
  • 34
Supratik
  • 2,154
  • 10
  • 51
  • 66
  • You can do a WHOIS on network ranges in a forward manner, but most ISPs have many networks. What is your actual goal, there may be a better approach. – Kyle Smith Jan 20 '11 at 14:32
  • I am having a web server in which I want to allow access to some of my colleague to log in but the problem is they are having dynamic IP's. So, if I have to allow/deny I think I need to do it for the entire network. – Supratik Jan 21 '11 at 05:04

1 Answers1

1

Maybe something like this can help you.

block_as.sh:

#!/bin/bash

ASLIST="$@"

for ASNO in $ASLIST; do
    SUFFIX="$ASNO";
    #SUFFIX="" # enable this to gather all rules in one chain
    echo "iptables -N reject_as$SUFFIX";
    echo "ip6tables -N reject_as$SUFFIX";
    whois -B -i origin "AS$ASNO" \
    | grep '^route' \
    | while read proto prefix rest; do
        case "$proto" in
            route:)  prog=iptables; ;;
            route6:) prog=ip6tables; ;;
            *)       prog=echo; ;;
        esac
        echo "$prog -A "reject_as$SUFFIX" -s $prefix -j REJECT";
    done;
done

It fetches all network via whois and generates appropriate ip[6]tables rules. Maybe you have to adjust your whois-Query since I only ran tests against the ripe db.

Looks something like this:

$ ./block_as.sh 3320 6724
iptables -N reject_as3320
ip6tables -N reject_as3320
iptables -A reject_as3320 -s 193.103.152.0/22 -j REJECT
[...]
iptables -A reject_as3320 -s 134.97.128.0/17 -j REJECT
iptables -A reject_as3320 -s 194.156.246.0/24 -j REJECT
iptables -A reject_as3320 -s 91.222.232.0/22 -j REJECT
ip6tables -A reject_as3320 -s 2003:0000::/19 -j REJECT
ip6tables -A reject_as3320 -s 2003:0000::/20 -j REJECT
iptables -N reject_as6724
ip6tables -N reject_as6724
iptables -A reject_as6724 -s 192.67.198.0/24 -j REJECT
[...]
iptables -A reject_as6724 -s 85.214.0.0/15 -j REJECT
iptables -A reject_as6724 -s 81.169.128.0/17 -j REJECT
ip6tables -A reject_as6724 -s 2a01:238::/32 -j REJECT
Michuelnik
  • 3,410
  • 3
  • 19
  • 24
  • I am using RHEL 5.3 and the script is not working if I use -B option so the script is not working as expected. Can you please tell me what -B will do ? – Supratik Jan 21 '11 at 05:08
  • @Supratik: Unfortunately, there seems to be no common whois query syntax among the RIRs - even not in 2011. Perhaps there are more elaborate clients than whois or other services (e.g. webservices?) that might provide the information necessary. I'll have another look at it. – Michuelnik Jan 22 '11 at 10:34