Redirect a range of IP addresses, best way?

Forum Moderators: phranque

Message Too Old, No Replies

Redirect a range of IP addresses, best way?

whitenoise

9:17 am on Mar 31, 2015 (gmt 0)

Hey everyone,

Sorry to bother you with another question. I have the following Rewrite rule with an IP address:

RewriteCond %{REMOTE_HOST} ^22\.333\.444\.555$ [OR]
RewriteCond %{REMOTE_HOST} ^11\.22\.333\.333$

Now using the second line as an example, say I want to block a range of IPs rather than listing then individually. Which of the following is the best (or does it not matter?), as they both 'seem' to work?

RewriteCond %{REMOTE_HOST} ^11\.22\.33*

RewriteCond %{REMOTE_HOST} ^11\.22\.33

Thanks for your help.

penders

9:59 am on Mar 31, 2015 (gmt 0)

You should be using REMOTE_ADDR, not REMOTE_HOST to check the IP address of the client. REMOTE_HOST is the resolved host (if your server is set to do so and if it can be resolved) - but will return the IP address if it doesn't resolve (so it will sometimes work, but is dependent on your server).

If you are checking for an exact match you can use the "=" prefix, to match a string and not a regular expression:

RewriteCond %{REMOTE_ADDR} =22.333.444.555

^11\.22\.33* 
^11\.22\.33

These two regular expressions match different things. The first will match "11.22.33", "11.22.333", "11.22.3333", "11.22.33333", etc. (The * repeats the previous element 0 or more times.) Whereas the second will match any IP address that starts "11.22.33". So the second is probably what you intended, although I would have thought you would want to match a trailing dot... "^11\.22\.33\."? So you match the first 3 whole sections?

wilderness

1:45 pm on Mar 31, 2015 (gmt 0)

The following or any portion of the range may be used for each Class:
0-255

([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])

When you start breaking the above down to more precise ranges the expressions and complications will increase.
EX:
#exclude all except 39
([0-9]|[124-9][0-9]|3[0-8]|1[0-9][0-9]|2[0-5][0-9])

whitenoise

9:53 am on Apr 1, 2015 (gmt 0)

Many thanks to you both, very helpful. Penders, based on your example below

RewriteCond %{REMOTE_ADDR} ^11\.22\.33\.

Wouldn't that not match 11.22.333 or 11.22.334 for example? By leaving it at ^11\.22\.33 doesn't it match anything after the 33 at all; so whether there is another number there, or it moves to the fourth section?

penders

11:52 am on Apr 1, 2015 (gmt 0)

(Trying to not stumble on the double negative...) Yes, that would not match 11.22.333 or 11.22.334. And yes, by leaving it at ^11\.22\.33 it will match anything after the 33 at all.

I only mentioned the trailing dot as that would generally be more common (normally more useful). But YMMV.

lucy24

8:48 pm on Apr 1, 2015 (gmt 0)

<opposing viewpoint>
Using mod_rewrite for IP-based access control is shooting flies with an elephant rifle. It's much faster and simpler to have a universal

Deny from 11.22.33

Otherwise you will end up with a RewriteRule that has several hundred conditions. mod_authzz works in CIDR ranges and doesn't require anchors, so you can also say things like

Deny from 11.22.33.0/23

which can get awfully convoluted in mod_rewrite. (Rumor has it Apache 2.4 supports CIDR ranges in a RewriteCond, but I've yet to see the actual documentation, and I'm still using 2.2 throughout.)
</o. v.>

that would not match 11.22.333 or 11.22.334.

It wouldn't need to. No reason to spell out the rest of the IP once you've passed the unambiguous part.