• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Blocking whole netblocks

Spenser

Active member
#1
Hi!

Is there a way to block netblocks that don't have /8, /16 or /24 masks?

Example: there is a lot of SPAM vom PEG from the network 142.4.96.0/19. I would like to block the whole netblock. Any way to do this?


Thanks!
 

Biker

Well-known member
#2
That mask you refer to is called CIDR and is exactly what you're looking for. You can add that CIDR to iptables and the entire address range associated with 142.4.96.0/19 will be blocked.
 

Spenser

Active member
#4
No, I can't.
In front of the server I run cloudflare to prevent ddos and hacking attacks and thus I can't block traffic using iptables as there is no direct connection to the client.
 

EQnoble

Well-known member
#5
Have you tried adding any of them to your /admin.php?banning/ips

Haven't tried it myself but I would guess it should help you.

Code:
142.4.96.*
 
142.4.97.*
 
142.4.98.*
 
142.4.99.*
 
142.4.101.*
 
142.4.102.*
 
142.4.103.*
 
142.4.104.*
 
142.4.105.*
 
142.4.106.*
 
142.4.107.*
 
142.4.108.*
 
142.4.109.*
 
142.4.110.*
 
142.4.111.*
 
142.4.112.*
 
142.4.113.*
 
142.4.114.*
 
142.4.115.*
 
142.4.116.*
 
142.4.117.*
 
142.4.118.*
 
142.4.119.*
 
142.4.120.*
 
142.4.121.*
 
142.4.122.*
 
142.4.123.*
 
142.4.124.*
 
142.4.125.*
 
142.4.126.*
 
142.4.127.*
 

EQnoble

Well-known member
#7
Blocking via admin panel only support /8, /16 and /24. I want to add "odd" numbers like /19 oder /20.
Have you tried adding any of them to your /admin.php?banning/ips

Haven't tried it myself but I would guess it should help you.

Code:
142.4.96.*
 
142.4.97.*
 
142.4.98.*
 
142.4.99.*
 
142.4.101.*
 
142.4.102.*
 
142.4.103.*
 
142.4.104.*
 
142.4.105.*
 
142.4.106.*
 
142.4.107.*
 
142.4.108.*
 
142.4.109.*
 
142.4.110.*
 
142.4.111.*
 
142.4.112.*
 
142.4.113.*
 
142.4.114.*
 
142.4.115.*
 
142.4.116.*
 
142.4.117.*
 
142.4.118.*
 
142.4.119.*
 
142.4.120.*
 
142.4.121.*
 
142.4.122.*
 
142.4.123.*
 
142.4.124.*
 
142.4.125.*
 
142.4.126.*
 
142.4.127.*
the above covers this ->142.4.96.0/19

and if I am not mistaken 142.4.127.* is = 142.4.127.0/24
 

Mike Edge

Well-known member
#9
Enable Client IP in Header in your httpd daemon. You'll now have the users real IP traffic the server not the CF masking, allowing you to block them in CSF or iptables.
 

Mike

XenForo developer
Staff member
#12
iptables is too low level, so you're right - you won't be able to use that. I'm not sure if you can do any config like this in CloudFlare itself.
 

Spenser

Active member
#14
iptables is too low level, so you're right - you won't be able to use that. I'm not sure if you can do any config like this in CloudFlare itself.
Cloudflare isn't helpful in this as it seems that the captchas are circumvented manually. Right now most captcha-based spam prevention systems don't work.

Right now I have made up a way to add the ranges to a .htaccess.
I'd rather have it covered at Xenforo.