Blocking whole netblocks

Spenser

Active member
Hi!

Is there a way to block netblocks that don't have /8, /16 or /24 masks?

Example: there is a lot of SPAM vom PEG from the network 142.4.96.0/19. I would like to block the whole netblock. Any way to do this?


Thanks!
 

Biker

Well-known member
That mask you refer to is called CIDR and is exactly what you're looking for. You can add that CIDR to iptables and the entire address range associated with 142.4.96.0/19 will be blocked.
 

Spenser

Active member
No, I can't.
In front of the server I run cloudflare to prevent ddos and hacking attacks and thus I can't block traffic using iptables as there is no direct connection to the client.
 

EQnoble

Well-known member
Have you tried adding any of them to your /admin.php?banning/ips

Haven't tried it myself but I would guess it should help you.

Code:
142.4.96.*
 
142.4.97.*
 
142.4.98.*
 
142.4.99.*
 
142.4.101.*
 
142.4.102.*
 
142.4.103.*
 
142.4.104.*
 
142.4.105.*
 
142.4.106.*
 
142.4.107.*
 
142.4.108.*
 
142.4.109.*
 
142.4.110.*
 
142.4.111.*
 
142.4.112.*
 
142.4.113.*
 
142.4.114.*
 
142.4.115.*
 
142.4.116.*
 
142.4.117.*
 
142.4.118.*
 
142.4.119.*
 
142.4.120.*
 
142.4.121.*
 
142.4.122.*
 
142.4.123.*
 
142.4.124.*
 
142.4.125.*
 
142.4.126.*
 
142.4.127.*
 

Spenser

Active member
Blocking via admin panel only support /8, /16 and /24. I want to add "odd" numbers like /19 oder /20.
 

EQnoble

Well-known member
Blocking via admin panel only support /8, /16 and /24. I want to add "odd" numbers like /19 oder /20.
Have you tried adding any of them to your /admin.php?banning/ips

Haven't tried it myself but I would guess it should help you.

Code:
142.4.96.*
 
142.4.97.*
 
142.4.98.*
 
142.4.99.*
 
142.4.101.*
 
142.4.102.*
 
142.4.103.*
 
142.4.104.*
 
142.4.105.*
 
142.4.106.*
 
142.4.107.*
 
142.4.108.*
 
142.4.109.*
 
142.4.110.*
 
142.4.111.*
 
142.4.112.*
 
142.4.113.*
 
142.4.114.*
 
142.4.115.*
 
142.4.116.*
 
142.4.117.*
 
142.4.118.*
 
142.4.119.*
 
142.4.120.*
 
142.4.121.*
 
142.4.122.*
 
142.4.123.*
 
142.4.124.*
 
142.4.125.*
 
142.4.126.*
 
142.4.127.*
the above covers this ->142.4.96.0/19

and if I am not mistaken 142.4.127.* is = 142.4.127.0/24
 

Mike Edge

Well-known member
Enable Client IP in Header in your httpd daemon. You'll now have the users real IP traffic the server not the CF masking, allowing you to block them in CSF or iptables.
 

Mike

XenForo developer
Staff member
iptables is too low level, so you're right - you won't be able to use that. I'm not sure if you can do any config like this in CloudFlare itself.
 

Spenser

Active member
iptables is too low level, so you're right - you won't be able to use that. I'm not sure if you can do any config like this in CloudFlare itself.
Cloudflare isn't helpful in this as it seems that the captchas are circumvented manually. Right now most captcha-based spam prevention systems don't work.

Right now I have made up a way to add the ranges to a .htaccess.
I'd rather have it covered at Xenforo.
 
Top