Anyone know of a script: exclude IP ranges but allow certain IPs

Forum Moderators: phranque

Message Too Old, No Replies

Anyone know of a script: exclude IP ranges but allow certain IPs

motorhaven

12:51 pm on Dec 20, 2012 (gmt 0)

Not really sure which section this belongs in, not Apache, since this is firewall related, not search engine spiders since I already know what I want to block.

Anyway, here's the problem:

Like many others, my servers get hit on daily basis with a huge number of abusive requests from Amazon AWS ranges. I want to block these at the firewall level, and I have the IP ranges to do so. The issue is I use a couple of advertising services such as VigLink and GumGum which come through Amazon IPs. These have a few dozen IPs.

So, I'm looking for a tool or script which I can enter the IP ranges I want to block, but it rewrites them into smaller pieces so they are written "around" the IPs I want to allow in. I've searched Google to no available, and writing these by hand with a single netmask tool is a daunting task.

Anyone know of such a tool/script?

lucy24

11:20 pm on Dec 20, 2012 (gmt 0)

I've got a bit of javascript that works in the opposite direction: Feed it a string of IP addresses (in numerical order, because that's always been the form I get things in) and it collapses them into the biggest possible blocks, leaving holes for the ones I left out. F'rinstance

38.0.0.0
...all the way through
38.255.0.0
but leaving out one /16 in the middle (I'll find out which in a moment, I just deleted at random) yields

38.0.0.0/11
38.32.0.0/15
38.34
38.36.0.0/14
38.40.0.0/13
38.48.0.0/12
38.64.0.0/10
38.128.0.0/9

... which tells me I left a hole for 38.35 ;)

Wasn't there another thread just a few days ago that asked a similar question?

motorhaven

11:35 pm on Dec 20, 2012 (gmt 0)

I have something similar, a Perl script which will collapse IPs and IP ranges into the smallest number of ranges.

I don't know if I explained it well enough for everyone (though I believe you understand :) ) so here's an example:

Have the range:
52.0.0.0/16 for example.
I have 2 IPs in this range I need to let through. Feed the range into the program as well as the IPs to exclude. It should spit out:

Range 1
(my first excluded IP)
Range 2
(my second excluded IP)
Range 3

Obviously it would be more than 3 ranges, because I'm excluding single IPs instead of blocks which fit neatly into normal netmasks, but the above is the general idea.

I have them working pretty neatly in my Apache setup, but frankly I'm tired of it wasting resources even if its only to feed them 403 codes. I'd much rather have them eat NULL, lol.

lucy24

5:11 am on Dec 21, 2012 (gmt 0)

Does your firewall code use CIDR ranges, Regular Expressions, or direct numbers (like "192-223")? Can it do toggles, like "lock out everything matching A unless it also matches B"? Obviously when I answered I was thinking strictly in terms of CIDR ranges.