How to block an IP range using Apache .htaccess - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

How to block an IP range using Apache .htaccess

Trying to confirm a thorough example.

JAB Creations

10:30 am on May 12, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

For some time I've been trying to figure out how to block ip ranges (some may search for deny ip block) by using the full begining and ending ip addresses. I am a simple man and do not possess an engineering degree nor am I mechanically inclined. So when I learn I learn by a simple yet direct way of explaining things.

Now I know to block a single ip address you use this...

deny from 200.73.174.183

I did a little reading and a ton of searching and have concluded to block an ip range of 67.18.0.0 - 67.18.0.255 you should use...

deny from 67.18.0.0/255

My understanding is that 18.0.0 through 18.0.255 is represented as 0/255 (that which denotes that portion of the ip as begining and ending using JUST that quarter portion of the ip address in order to make a percieved range).

Now to expand, if the range is greater and say we want to block a range of 67.18.0.0 to 67.19.255.255 you should use...

deny from 67.18/19

This takes the second set (out of which could be 0-255) and chooses (18-19 and all their subsets) to be included in the ip address range.

I just want to know if everything I stated is correct and if not (be in in full or in part) what I am wrong about and how it really works.

jdMorgan

6:14 pm on May 12, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

This stuff is rather complex. It involves converting the octets (the groups of numbers delimited by the periods) of the address or address range to binary, and then generating a "mask" that is used during comparison of the incoming address and the specified allow/deny directives.

A basic example would be that you want to deny 192.168.192.0 through 192.168.255.255

In binary (use the Windows calculator or equivalent) that is 11000000.10101000.11000000.00000000 through 11000000.10101000.11111111.11111111

Having derived that, you now need to generate either a netmask or a CIDR. The easiest way to do it is to line up the start/end addresses vertically, and then examine them to see which bits change between the first and last address of the range. Then mark those that don't change with ones and those that do with zeroes:

11000000.10101000.11000000.00000000
11000000.10101000.11111111.11111111
-----------------------------------
11111111.11111111.11000000.00000000

This yields the netmask, which when converted back to decimal octets is 255.255.192.0

To get a CIDR, you count the number of ones from the left, in this case 18.

So, you would use


Deny from 192.168.192.0/255.255.192.0 (Network/Netmask pair -or-
Deny from 192.168.192.0/18 (Network/nnn CIDR specification

Note that when the netmask contains trailing octets containing all zeroes, you can simply leave them off and use a simple partial IP address.

An example would be 172.0.0.0 through 172.0.0.255, which could be specified as a partial IP address as:


Deny from 172.0.0.

For more information, do a search for "Netmask" and "CIDR." There are also several online netmask and CIDR generators avaialble. In addition, if you look up your problem IP addresses in ARIN, the CIDR value is often given in the data record containing that IP address.

Unfortunately, this is as simple as it gets.

Jim

sitz

6:16 pm on May 12, 2005 (gmt 0)

10+ Year Member

I'm not personally familiar with that syntax; it /may/ work (and testing it is easy enough). However, I'd probably use the notation described in mod_access's allow documentation [httpd.apache.org]. For more information on netmasks and Classless Internet Domain Routing, I'd suggest googling on "cidr blocks" [google.com].