1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking whole netblocks

Discussion in 'XenForo Questions and Support' started by Spenser, May 20, 2013.

  1. Spenser

    Spenser Active Member

    Hi!

    Is there a way to block netblocks that don't have /8, /16 or /24 masks?

    Example: there is a lot of SPAM vom PEG from the network 142.4.96.0/19. I would like to block the whole netblock. Any way to do this?


    Thanks!
     
  2. Biker

    Biker Well-Known Member

    That mask you refer to is called CIDR and is exactly what you're looking for. You can add that CIDR to iptables and the entire address range associated with 142.4.96.0/19 will be blocked.
     
  3. EQnoble

    EQnoble Well-Known Member

    ssh to your server as root
    ip route ad blackhole 142.4.96.0/19
     
  4. Spenser

    Spenser Active Member

    No, I can't.
    In front of the server I run cloudflare to prevent ddos and hacking attacks and thus I can't block traffic using iptables as there is no direct connection to the client.
     
  5. EQnoble

    EQnoble Well-Known Member

    Have you tried adding any of them to your /admin.php?banning/ips

    Haven't tried it myself but I would guess it should help you.

    Code:
    142.4.96.*
     
    142.4.97.*
     
    142.4.98.*
     
    142.4.99.*
     
    142.4.101.*
     
    142.4.102.*
     
    142.4.103.*
     
    142.4.104.*
     
    142.4.105.*
     
    142.4.106.*
     
    142.4.107.*
     
    142.4.108.*
     
    142.4.109.*
     
    142.4.110.*
     
    142.4.111.*
     
    142.4.112.*
     
    142.4.113.*
     
    142.4.114.*
     
    142.4.115.*
     
    142.4.116.*
     
    142.4.117.*
     
    142.4.118.*
     
    142.4.119.*
     
    142.4.120.*
     
    142.4.121.*
     
    142.4.122.*
     
    142.4.123.*
     
    142.4.124.*
     
    142.4.125.*
     
    142.4.126.*
     
    142.4.127.*
     
  6. Spenser

    Spenser Active Member

    Blocking via admin panel only support /8, /16 and /24. I want to add "odd" numbers like /19 oder /20.
     
  7. EQnoble

    EQnoble Well-Known Member

    the above covers this ->142.4.96.0/19

    and if I am not mistaken 142.4.127.* is = 142.4.127.0/24
     
  8. Spenser

    Spenser Active Member

    OK, but I don't want to add lots of /24 ranges if one /19 covers all this.
     
  9. The Forum Heroes

    The Forum Heroes Well-Known Member

    Enable Client IP in Header in your httpd daemon. You'll now have the users real IP traffic the server not the CF masking, allowing you to block them in CSF or iptables.
     
  10. Spenser

    Spenser Active Member

    I don't see a way to access http headers from iptables.
     
  11. The Forum Heroes

    The Forum Heroes Well-Known Member

    You need to configure httpd to do it. It is in your httpd.conf
     
  12. Mike

    Mike XenForo Developer Staff Member

    iptables is too low level, so you're right - you won't be able to use that. I'm not sure if you can do any config like this in CloudFlare itself.
     
  13. EQnoble

    EQnoble Well-Known Member

  14. Spenser

    Spenser Active Member

    Cloudflare isn't helpful in this as it seems that the captchas are circumvented manually. Right now most captcha-based spam prevention systems don't work.

    Right now I have made up a way to add the ranges to a .htaccess.
    I'd rather have it covered at Xenforo.
     

Share This Page