> I believe it doesn't block the range 000.162.0.0 - 000.162.127.255

You're right, it does not block 162.0 through 162.255.

The easiest way to do that is to use two RewriteConds, one blocking 000.161.128-255.x and the other blocking 000.162.x.x, both of which are easy to derive from what you've already got. After working them out, you can combine them into one RewriteCond if desired.

RewriteCond %{REMOTE_ADDR} ^000\.161\.(12[89]¦1[3-9][0-9]¦2[0-5][0-9])\. [OR]
RewriteCond %{REMOTE_ADDR} ^000\.162\.

Note that "it doesn't hurt anything" to test for 200-259, or even 200-299, even though you will never get a request for an IP address octet value above 255 -- This saves some filespace and processing time.

Also, remember that mod_rewrite is not capable of doing a numerical-range compare, it is doing a character-range compare. In otherwords, mod_rewrite has no idea that these are 'numbers'. That sometimes clarifies things.

Jim

Yes, I've already written 2 conditions, thanks for the confirmation :)

So you can combine them into:

RewriteCond %{REMOTE_ADDR} ^000\.(161\.(12[89]¦1[3-9][0-9]¦2[0-5][0-9])¦162)\.

which is slightly faster if the code is in .htaccess, but much less "readable" to human eyes...
Don't do this if the code is intended for use in httpd.conf or conf.d -- separate lines will be executed much faster in those config-level files, because they are pre-compiled at server startup, and in that case, the simpler the pattern, the faster the code executes. (Thanks to member andreasfriedrich for the benchmark testing).

Jim

I'm using htaccess, so I can combine those 2 lines ito a single one, thank you for the example.

And thanks for the tip to test for 200-259, it's a good idea.

xt

One more question.

To block 000.160.0.0 - 000.161.95.255

Is the below condition OK?

RewriteCond %{REMOTE_ADDR} ^000\.(160¦(161\.([0-9]¦[1-8][0-9]¦9[0-5])))\. [OR]

Looks Ok, but you can shorten that to:

RewriteCond %{REMOTE_ADDR} ^000\.(160¦161\.([1-8]?[0-9]¦9[0-5]))\. [OR]

Since the "?" makes the tens digit optional, it'll match both 0-9 and 10-89. I also removed an unnecessary level of parentheses.

BTW, we're not really in the business of pre-test code reviews here. I'm only commenting because of the tweaks that are possible to your code. It's really more in line with our charter to test first, then post if there is a problem.

It's true you can't test by using someone else's IP address, but you can use an on-line regex tester, or put the IP to match against the regex into a query string, and rewrite to one of two pages that give you an 'in-range' or 'out-of-range' result based on that regex:

# If query string matches regex, show "match" page
RewriteCond %{QUERY_STRING} ^000\.(160¦161\.([1-8]?[0-9]¦9[0-5]))\.
RewriteRule ^test_ip\.html$ ^http://www.example.com/match_found.html$ [R=301,L]
#
# Else show "no match" page
RewriteRule ^test_ip\.html$ ^http://www.example.com/no_match_found.html$ [R=301,L]

Request /test_ip.html?192.168.0.1 and you should get /no_match_found.html. Request /test_ip.html 000.161.73.125
and you should get /match_found.html...

That's just one example -- There are many ways to test otherwise "untestable" regex patterns. Just think outside the box and change the server variable you use to test the regex.

Jim

[edited by: jdMorgan at 8:27 pm (utc) on Aug. 18, 2006]

Thank you Jim, you're very helpful.

I didn't know how to test the regex, thanks for the tips.

xt