1

I have a list of ranges for IP addresses that I want to block, the ranges are like 210.80.32.0 to 210.80.63.255

How can I dynamically determine the right 210.80.32.0/NUMBER to capture the full range? 

sudo ufw deny 210.80.32.0/???

I am reading these IP ranges in once a month from text files to add to my firewall rules, I tear the firewall down once a month and rebuild it to capture any changes in these ranges. Currently I am just doing lowerrange/20 in the rule.

So I need to get the two network values by splitting the string on . then do the math to determine how many there are.. and add a rule for each network?

JoGotta
  • 13
  • 4

1 Answers1

1

You are using CDIR notation here. You may want to read more about CDIR notation and subnet masks.

In your example, you could break out the two networks into:

  1. 210.80.32.0/24
  2. 210.80.33.0/24

This translates to:

  • 255.255.255.0

or:

  1. 210.80.32.0-254
  2. 210.80.33.0-254

You should now be able to perform:

sudo ufw deny 210.80.32.0/24 && sudo ufw deny 210.80.33.0/24

Other examples

You could block 210.80.0.0/16, which would block 210.80.0-254.0.254, but this will block IPs in ranges not specified in the original post.

earthmeLon
  • 11,042
  • 1
  • 36
  • 60
  • So programmatically I have to break the start and end range IP addresses apart and see if the networks differ.. then for each difference I need to add a rule? – JoGotta Feb 19 '16 at 19:56
  • You're more than welcome to look at the [CDIR notation page](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) and determine if there is a single subnet that will work for you. GIven the information you provided, this is how I would handle the situation as it has no bleedover and covers what you need. Also, it's easy to remember and clear to see for yourself in the future in case you need to make modifications. – earthmeLon Feb 19 '16 at 20:20