1

So far, I have been manually adding C-class IP address ranges to the IIS disallow list, ie; 101.22.32.0 / 255.255.255.0.

I would essentially like to add all the AWS IP address ranges found here: EC2 Public IP Ranges and would like to know of a good way of adding these all to the deny list.

If having to do these manually, how would I add the ranges: 50.19.0.0/16 (50.19.0.0 - 50.19.255.255)?

I was also thinking I could edit the XML config file for this - where does it reside (if this is a better idea)?

-- UPDATE --

My server is using an AWS EC2 instance, and from what I have read, the security groups only "allow" ip addresses, excluding all others. So, is setting this up in IIS the best idea or is there another more efficient way of accomplishing this?

Thanks.

ElHaix
  • 269
  • 3
  • 13

1 Answers1

0

You can add them to the list by translating the CIDR network address length into a subnet mask. /16 happens to translate to 255.255.0.0, because the first 16 bits of that subnet mask are 1.

Similarly, the network address and subnet mask for 54.212.0.0/15 are 54.212.0.0 255.254.0.0 because the first 15 bits of the subnet mask are 1.

If you don't want to do the bit shifting calculations yourself, there are tables all over the internet (here is one).

The concept of classful subnetting is a pretty obsolete and ancient one; there is never a bad time to learn CIDR.

I suspect the configuration file where these items are stored is in %WinDir%\System32\Inetsrv\Config\.

IIS does indeed support IP-based ACLs. You have to install it, because it's not installed by default; the feature name is "IP address and domain restrictions". Here is a tutorial on how to set that up.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92