2
1
I have a list of IPs such as these country ones from i-blocklist: https://www.iblocklist.com/lists.php?category=country
They only provide ranges without a subscription, such as: 201.237.0.0-201.237.255.255
I need to route a few of those lists out a specific interface on a server but I don't see an option in ip route to specify a range in the above notation.
Any ideas?
hacktek
Posted 2018-04-16T05:24:08.913
Reputation: 21
3
The netmask tool can be very handy to convert a range to a CIDR:
$ netmask 201.237.0.0:201.237.255.255
201.237.0.0/16
$ netmask 201.238.3.0:201.238.9.255
201.238.3.0/24
201.238.4.0/22
201.238.8.0/23
You should also see if using ipset or the iptables geoip module, part of xtables-addons wouldn't be more useful than using directly those ranges.
For geoip, look at this usage example in this Q/A: Ubuntu IPTables allow only allow 1 country
A.B
Posted 2018-04-16T05:24:08.913
Reputation: 2 008
I think this (and a combination of the one liner in one of the answers below) might be my best bet. Gonna give it a shot but liking what I see. Thanks a lot! – hacktek – 2018-04-17T01:51:03.633
1
Expanding on A.B Answer - you can convert an entire list to CIDR notation using
for each in `cut -f2 -d":" ad | tr "-" ":"` ; do netmask $each 2>/dev/null; done
Or to IP/Netmask notation with
for each in `cut -f2 -d":" ad | tr "-" ":"` ; do netmask -s $each 2>/dev/null; done
So to push all the IP's from a particular range through a particular interface you could do somethhing like
Putting it together you could create a command with a script as below - removing the "echo" and finishing the iptables command as appropriate for your requirements:
#! /bin/bash
TMPFILE="/dev/shm/$$.del"
for each in `cut -f2 -d":" ad | tr "-" ":"`
do
netmask -s $each 2>/dev/null;
done > $TMPFILE
while read -r each
do
ROUTE=${each%/*}
NETMASK=${each#*/}
echo /sbin/route add $ROUTE netmask $NETMASK ....
done <$TMPFILE
davidgo
Posted 2018-04-16T05:24:08.913
Reputation: 49 152
Beautiful (just had to make sure the file only had each range of IPs, one per line, as the one from the site includes the country name in front of each one). – hacktek – 2018-04-17T01:56:08.493
The first half "cut" statement takes care of the country name. – davidgo – 2018-04-17T02:21:25.783
Ah you're right, initially it didn't work cause I was actually missing the netmask package. Great! – hacktek – 2018-04-17T03:50:04.707
1
No such thing as range routing. You can route subnets (as close to the desired range as you need) and supplement that with how many other independent not included in the subnets IPs you need.
In your example, 201.237.0.0-201.237.255.255 is a not a range, it's the subnet 201.237.0.0 /16 . You can route it in one-shot.
A range would be something as 201.237.0.1-201.237.1.3, which would be impossible to route under this format. In this scenario, you would need to route 201.237.0.0 /24 and separately 201.237.1.0 /30, so you basically cover it with 2 routes, but that's an easy one. Things can get much more complicated.
Overmind
Posted 2018-04-16T05:24:08.913
Reputation: 8 562
Indeed, which is why I asked how to route that since it was not possible in that Form, transforming to cidr notation programmatically appears to be the general consensus. – hacktek – 2018-04-17T01:57:53.837
Yes, depending on the device you need the configuration on you either have to use "/", netmask or wildcard mask. – Overmind – 2018-04-17T04:47:38.597
2Why do you need to specify a range. The network address is obvious - 201.237.0.0/16. – Appleoddity – 2018-04-16T05:37:33.010
@Appleoddity Looking at a sample file (I took the first one - Andora) - its not as immediately obvious for a lot of ranges - of-course it can be worked out, but they have for example 194.158.64.0-194.158.95.255 - so a /19 – davidgo – 2018-04-16T07:02:11.540
That's right, the one provided was simply an example but some countries have hundreds of ranges. – hacktek – 2018-04-17T01:59:00.263