How to Block IP Address Ranges in Linux Using iptables to Prevent Brute Force Attacks


2 views

If you're running a Linux server exposed to the internet, you've likely encountered brute force attacks or unauthorized access attempts. These often come from specific geographic regions (like China in this case) and use sequential IP addresses within the same range.

The challenge is that attackers frequently rotate IPs within the same subnet, making individual IP blocking ineffective. A more efficient solution is to block entire IP ranges.

To block IP ranges effectively, you need to understand CIDR (Classless Inter-Domain Routing) notation. This represents IP address ranges concisely:

116.10.191.0/24 = 116.10.191.0 to 116.10.191.255
116.10.0.0/16 = 116.10.0.0 to 116.10.255.255

For the example IP 116.10.191.207, we can block the entire 116.10.191.* range (a /24 subnet):

sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP

iptables rules are temporary. To make them persist after reboot:

sudo apt-get install iptables-persistent
sudo netfilter-persistent save

For multiple ranges, create a script:

#!/bin/bash
# List of CIDR ranges to block
RANGES=(
"116.10.191.0/24"
"123.123.123.0/24"
"45.45.45.0/24"
)

for range in "${RANGES[@]}"; do
    iptables -A INPUT -s "$range" -j DROP
done

Check active iptables rules with:

sudo iptables -L -n -v

For large numbers of IPs, ipset is more efficient:

sudo apt-get install ipset
sudo ipset create china-range hash:net
sudo ipset add china-range 116.10.191.0/24
sudo iptables -I INPUT -m set --match-set china-range src -j DROP

Regularly review your logs and adjust rules:

sudo tail -f /var/log/auth.log | grep 'Failed password'

When dealing with persistent hacking attempts from a specific geographic region (in this case China), you'll notice attackers often use IP addresses from contiguous blocks. Manually blocking individual IPs with commands like:

sudo /sbin/iptables -A INPUT -s 116.10.191.207 -j DROP

becomes ineffective as attackers rotate through nearby IPs in the same subnet.

The most efficient solution is to block entire IP ranges using CIDR (Classless Inter-Domain Routing) notation. For the example IP 116.10.191.207, we can block the entire /24 subnet (256 addresses) with:

sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP

Here are some useful CIDR blocks for common attack scenarios:

# Block entire /16 network (65,536 addresses)
sudo iptables -A INPUT -s 116.10.0.0/16 -j DROP

# Block multiple specific /24 networks
sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP
sudo iptables -A INPUT -s 116.10.192.0/24 -j DROP

# Block China Telecom's AS4134 network (example)
sudo iptables -A INPUT -s 116.10.0.0/15 -j DROP

On Ubuntu, iptables rules don't persist after reboot. Install and use iptables-persistent:

sudo apt-get install iptables-persistent
sudo netfilter-persistent save

For comprehensive protection, consider using xt_geoip module to block entire countries:

# Install required packages
sudo apt-get install xtables-addons-common libtext-csv-xs-perl

# Download GeoIP database
sudo /usr/lib/xtables-addons/xt_geoip_dl

# Block all Chinese IPs
sudo iptables -A INPUT -m geoip --src-cc CN -j DROP

Always check your active rules with:

sudo iptables -L -n -v

This shows packet counts for each rule, helping identify if your blocks are effective.