Please enable JavaScript to view this site.
Ipset - Block an IP Range
Sometimes you may find the need to block a range of IP addresses. I will use archive.org or the
You will need to install the following Apache modules if you do not already have them.
Click the 'Yes' button in response to the system questions.
Now let's enable netfilter-persistent so that it can save our new rules. Without it, all our new rules would be wiped out at the next reboot.
Now let's create a blacklist group and add archive.org's IP address range to the group.
The add blacklist rule above covers all IP addresses from 207.241.224.0 to 207.241.224.256. However, the wayback IP address range is much larger: 207.241.224.0 - 207.241.239.255. So the add blacklist command can be written as follows to capture all the IP addresses:
sudo ipset add blacklist 207.241.224.0/20
I've also caught archive.org using the following two amazon addresses: 3.236.138.35 and 3.237.27.159. The wayback machine is operating out of the amazon northern Virginia data center. Just to be safe, you could block the entire data center:
sudo ipset add blacklist 3.224.0.0/12
A CIDR address calculator such as https://www.ipaddressguide.com/cidr is helpful.
Now, let's create a rule to add the blacklist group to iptables.
Note: You will need to re-run the save command. In fact, every time you add new IP addresses to the blacklist group, you will need to re-run the command:
Running the save command will update the file located at:
If you want to review the IP addresses in your blacklist (replace
You willl also want to check the iptables rules to make sure that your blacklist is included:
Note: If you are already using Fail2Ban like I am, you will run into the following issue. At reboot, Fail2Ban will load its rules and netfilter-persistent will also load them, causing the Fail2Ban rules to be loaded twice. This can be prevented by editing the rules.v4 file:
My two Fail2Ban jails are sshd and hacker. The netfilter-persistent commands are the lines beginning with - A. These commands are loading the IP addresses in the jails in addition to fail2ban also loading them. The related - A lines will need to be deleted.
The quickest way to perform the edits would be to copy the rules.v4 file to your home directory. Change the ownership from root to yourself. Make the edits with your FTP editor such as WinSCP, and then copy the file back to /etc/iptables as follows.
You can always add more IP addresses to your blacklist. Here I am adding the domain range for domaintools.com since I consider them to be a nuisance.
After adding more IP addresses to the blacklist, you will again need to re-run the save command to make them persistent (i.e. carry over after the next reboot):
Again, if you have fail2ban, you will need to re-upload your edited rules.v4 file after each save to prevent your fail2ban jails from being run twice.
So each time I add a new rule, I run commands like so:
wayback machineas an example. Archive.org ignores robot texts and makes copies of your website even when you ask them not to. Therefore, it becomes necessary to block them. Here's how you do it.
You will need to install the following Apache modules if you do not already have them.
sudo apt install ipset iptables netfilter-persistent ipset-persistent iptables-persistent
Click the 'Yes' button in response to the system questions.
Now let's enable netfilter-persistent so that it can save our new rules. Without it, all our new rules would be wiped out at the next reboot.
sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent
sudo systemctl start netfilter-persistent
sudo systemctl enable netfilter-persistent
sudo systemctl start netfilter-persistent
Now let's create a blacklist group and add archive.org's IP address range to the group.
sudo ipset create blacklist hash:net hashsize 4096
sudo ipset add blacklist 207.241.224.0/24
sudo ipset add blacklist 207.241.224.0/24
The add blacklist rule above covers all IP addresses from 207.241.224.0 to 207.241.224.256. However, the wayback IP address range is much larger: 207.241.224.0 - 207.241.239.255. So the add blacklist command can be written as follows to capture all the IP addresses:
sudo ipset add blacklist 207.241.224.0/20
I've also caught archive.org using the following two amazon addresses: 3.236.138.35 and 3.237.27.159. The wayback machine is operating out of the amazon northern Virginia data center. Just to be safe, you could block the entire data center:
sudo ipset add blacklist 3.224.0.0/12
A CIDR address calculator such as https://www.ipaddressguide.com/cidr is helpful.
Now, let's create a rule to add the blacklist group to iptables.
sudo iptables -I INPUT -m set --match-set blacklist src -j DROP
Note: You will need to re-run the save command. In fact, every time you add new IP addresses to the blacklist group, you will need to re-run the command:
sudo netfilter-persistent save
Running the save command will update the file located at:
/etc/iptables/ipsets
If you want to review the IP addresses in your blacklist (replace
blacklistwith any other name that you might have chosen for the group):
sudo ipset list blacklist
You willl also want to check the iptables rules to make sure that your blacklist is included:
sudo iptables -L --line-numbers
Note: If you are already using Fail2Ban like I am, you will run into the following issue. At reboot, Fail2Ban will load its rules and netfilter-persistent will also load them, causing the Fail2Ban rules to be loaded twice. This can be prevented by editing the rules.v4 file:
sudo nano /etc/iptables/rules.v4
My two Fail2Ban jails are sshd and hacker. The netfilter-persistent commands are the lines beginning with - A. These commands are loading the IP addresses in the jails in addition to fail2ban also loading them. The related - A lines will need to be deleted.
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-hacker
-A f2b-hacker -s ...
-A f2b-sshd -s ...
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-hacker
-A f2b-hacker -s ...
-A f2b-sshd -s ...
The quickest way to perform the edits would be to copy the rules.v4 file to your home directory. Change the ownership from root to yourself. Make the edits with your FTP editor such as WinSCP, and then copy the file back to /etc/iptables as follows.
sudo cp /etc/iptables/rules.v4 /home/robert/rules.v4
sudo chown robert /home/robert/rules.v4
sudo cp /home/robert/rules.v4 /etc/iptables/rules.v4
sudo chown robert /home/robert/rules.v4
sudo cp /home/robert/rules.v4 /etc/iptables/rules.v4
You can always add more IP addresses to your blacklist. Here I am adding the domain range for domaintools.com since I consider them to be a nuisance.
sudo ipset add blacklist 141.193.213.0/24
After adding more IP addresses to the blacklist, you will again need to re-run the save command to make them persistent (i.e. carry over after the next reboot):
sudo netfilter-persistent save
Again, if you have fail2ban, you will need to re-upload your edited rules.v4 file after each save to prevent your fail2ban jails from being run twice.
sudo cp /home/robert/rules.v4 /etc/iptables/rules.v4
So each time I add a new rule, I run commands like so:
sudo ipset add blacklist 141.193.213.0/24
sudo netfilter-persistent save
sudo cp /home/robert/rules.v4 /etc/iptables/rules.v4
sudo netfilter-persistent save
sudo cp /home/robert/rules.v4 /etc/iptables/rules.v4
* posted by Robert on Thu, Aug 04, 2022
Site built and hosted by RJdesign.one