|Anyone know of a script: exclude IP ranges but allow certain IPs|
Not really sure which section this belongs in, not Apache, since this is firewall related, not search engine spiders since I already know what I want to block.
Anyway, here's the problem:
Like many others, my servers get hit on daily basis with a huge number of abusive requests from Amazon AWS ranges. I want to block these at the firewall level, and I have the IP ranges to do so. The issue is I use a couple of advertising services such as VigLink and GumGum which come through Amazon IPs. These have a few dozen IPs.
So, I'm looking for a tool or script which I can enter the IP ranges I want to block, but it rewrites them into smaller pieces so they are written "around" the IPs I want to allow in. I've searched Google to no available, and writing these by hand with a single netmask tool is a daunting task.
Anyone know of such a tool/script?
...all the way through
but leaving out one /16 in the middle (I'll find out which in a moment, I just deleted at random) yields
... which tells me I left a hole for 38.35 ;)
Wasn't there another thread just a few days ago that asked a similar question?
I have something similar, a Perl script which will collapse IPs and IP ranges into the smallest number of ranges.
I don't know if I explained it well enough for everyone (though I believe you understand :) ) so here's an example:
Have the range:
18.104.22.168/16 for example.
I have 2 IPs in this range I need to let through. Feed the range into the program as well as the IPs to exclude. It should spit out:
(my first excluded IP)
(my second excluded IP)
Obviously it would be more than 3 ranges, because I'm excluding single IPs instead of blocks which fit neatly into normal netmasks, but the above is the general idea.
I have them working pretty neatly in my Apache setup, but frankly I'm tired of it wasting resources even if its only to feed them 403 codes. I'd much rather have them eat NULL, lol.
Does your firewall code use CIDR ranges, Regular Expressions, or direct numbers (like "192-223")? Can it do toggles, like "lock out everything matching A unless it also matches B"? Obviously when I answered I was thinking strictly in terms of CIDR ranges.