homepage Welcome to WebmasterWorld Guest from 54.196.62.23
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Anyone know of a script: exclude IP ranges but allow certain IPs
motorhaven

10+ Year Member



 
Msg#: 4529883 posted 12:51 pm on Dec 20, 2012 (gmt 0)

Not really sure which section this belongs in, not Apache, since this is firewall related, not search engine spiders since I already know what I want to block.

Anyway, here's the problem:

Like many others, my servers get hit on daily basis with a huge number of abusive requests from Amazon AWS ranges. I want to block these at the firewall level, and I have the IP ranges to do so. The issue is I use a couple of advertising services such as VigLink and GumGum which come through Amazon IPs. These have a few dozen IPs.

So, I'm looking for a tool or script which I can enter the IP ranges I want to block, but it rewrites them into smaller pieces so they are written "around" the IPs I want to allow in. I've searched Google to no available, and writing these by hand with a single netmask tool is a daunting task.

Anyone know of such a tool/script?

 

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4529883 posted 11:20 pm on Dec 20, 2012 (gmt 0)

I've got a bit of javascript that works in the opposite direction: Feed it a string of IP addresses (in numerical order, because that's always been the form I get things in) and it collapses them into the biggest possible blocks, leaving holes for the ones I left out. F'rinstance

38.0.0.0
...all the way through
38.255.0.0
but leaving out one /16 in the middle (I'll find out which in a moment, I just deleted at random) yields

38.0.0.0/11
38.32.0.0/15
38.34
38.36.0.0/14
38.40.0.0/13
38.48.0.0/12
38.64.0.0/10
38.128.0.0/9

... which tells me I left a hole for 38.35 ;)

Wasn't there another thread just a few days ago that asked a similar question?

motorhaven

10+ Year Member



 
Msg#: 4529883 posted 11:35 pm on Dec 20, 2012 (gmt 0)

I have something similar, a Perl script which will collapse IPs and IP ranges into the smallest number of ranges.

I don't know if I explained it well enough for everyone (though I believe you understand :) ) so here's an example:

Have the range:
52.0.0.0/16 for example.
I have 2 IPs in this range I need to let through. Feed the range into the program as well as the IPs to exclude. It should spit out:

Range 1
(my first excluded IP)
Range 2
(my second excluded IP)
Range 3

Obviously it would be more than 3 ranges, because I'm excluding single IPs instead of blocks which fit neatly into normal netmasks, but the above is the general idea.

I have them working pretty neatly in my Apache setup, but frankly I'm tired of it wasting resources even if its only to feed them 403 codes. I'd much rather have them eat NULL, lol.

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4529883 posted 5:11 am on Dec 21, 2012 (gmt 0)

Does your firewall code use CIDR ranges, Regular Expressions, or direct numbers (like "192-223")? Can it do toggles, like "lock out everything matching A unless it also matches B"? Obviously when I answered I was thinking strictly in terms of CIDR ranges.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved