All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Get all IP ranges from an AS number
One of my clients wanted to block a few social networking websites. Since they have no IPv6 (yet) I figured the simplest way was to block access to the entire IP range. This won't work for all the CDN networks they use, but it does get you started.
To find all the ranges beloning to an AS number you can query the whois.radb.net
server with the AS number.
For Facebook for example:
whois -h whois.radb.net '!gAS32934'
A1063
204.15.20.0/22 69.63.176.0/20 66.220.144.0/20 66.220.144.0/21 69.63.184.0/21 69.63.176.0/21 74.119.76.0/22 69.171.255.0/24 173.252.64.0/18 69.171.224.0/19 69.171.224.0/20 103.4.96.0/22 69.63.176.0/24 173.252.64.0/19 173.252.70.0/24 31.13.64.0/18 31.13.24.0/21 66.220.152.0/21 66.220.159.0/24 69.171.239.0/24 69.171.240.0/20 31.13.64.0/19 31.13.64.0/24 31.13.65.0/24 31.13.67.0/24 31.13.68.0/24 31.13.69.0/24 31.13.70.0/24 31.13.71.0/24 31.13.72.0/24 31.13.73.0/24 31.13.74.0/24 31.13.75.0/24 31.13.76.0/24 31.13.77.0/24 31.13.96.0/19 31.13.66.0/24 173.252.96.0/19 69.63.178.0/24 31.13.78.0/24 31.13.79.0/24 31.13.80.0/24 31.13.82.0/24 31.13.83.0/24 31.13.84.0/24 31.13.85.0/24 31.13.86.0/24 31.13.87.0/24 31.13.88.0/24 31.13.89.0/24 31.13.90.0/24 31.13.91.0/24 31.13.92.0/24 31.13.93.0/24 31.13.94.0/24 31.13.95.0/24 69.171.253.0/24 69.63.186.0/24 31.13.81.0/24 179.60.192.0/22 179.60.192.0/24 179.60.193.0/24 179.60.194.0/24 179.60.195.0/24 185.60.216.0/22 45.64.40.0/22 204.15.20.0/22 69.63.176.0/20 69.63.176.0/21 69.63.184.0/21 66.220.144.0/20 69.63.176.0/20
For CloudVPS:
whois -h whois.radb.net '!gAS35470'
A248
194.60.207.0/24 79.170.88.0/21 89.31.96.0/21 217.170.21.0/24 193.138.204.0/22 178.18.80.0/20 31.3.96.0/21 141.138.192.0/20 212.32.226.0/24 37.34.48.0/21 37.230.96.0/21 93.191.128.0/21 185.21.188.0/22 213.187.240.0/21 85.222.224.0/21 185.3.208.0/22
To find an AS number, you can query this whois server with the IP address. Linode for example:
$ whois -h whois.radb.net 178.79.155.1
route: 178.79.128.0/18
descr: Linode-2
origin: AS15830
mnt-by: Linode-mnt
changed: [email protected] 20100510
source: RIPE
remarks: ****************************
remarks: * THIS OBJECT IS NOT VALID
remarks: * Please note that all personal data has been removed from this object.
remarks: * To view the original object, please query the RIPE Database at:
remarks: * http://www.ripe.net/whois
remarks: ****************************
And then their AS number:
$ whois -h whois.radb.net '!gAS15830'
A3937
217.68.16.0/22 217.20.46.0/24 [...] 213.52.183.0/24 213.52.182.0/24 212.111.40.0/24
A block can then be issued with the following iptables
command:
iptables -A INPUT -d 217.68.16.0/22 -j DROP
Where -d
is the destination you want to make unreachable.
If you have the ipset
extension enabled you can create a set of all the ranges:
ipset -N blocked_nets nethash
ipset -A blocked_nets 194.60.207.0/24
ipset -A blocked_nets 79.170.88.0/21
ipset -A blocked_nets 89.31.96.0/21
ipset -A blocked_nets 217.170.21.0/24
ipset -A blocked_nets 193.138.204.0/22
ipset -A blocked_nets 178.18.80.0/20
ipset -A blocked_nets 31.3.96.0/21
ipset -A blocked_nets 141.138.192.0/20
ipset -A blocked_nets 212.32.226.0/24
ipset -A blocked_nets 37.34.48.0/21
ipset -A blocked_nets 37.230.96.0/21
ipset -A blocked_nets 93.191.128.0/21
ipset -A blocked_nets 185.21.188.0/22
ipset -A blocked_nets 213.187.240.0/21
ipset -A blocked_nets 85.222.224.0/21
ipset -A blocked_nets 185.3.208.0/22
And create the rules to filter based on the ipset
, which is faster when you have a large amount of IP's and ranges.
iptables -I INPUT -m set --match-set blocked_nets src,dst -j DROP
Forwarding packets with SNAT and DNAT using an ipset is not possible.
Comments
Nice, just remember some have more than one AS (DO for example).
Nevermind, I can't read.
Linode do not use their own AS, you queried the entire DC.
Https://www.enjen.net/asn-blocklist/
sh ip bgp regexp asnumber$ (only from this asn originated prefixes)
or
sh ip bgp regexp asnumber (with customer prefixes)
on a cisco router with fulltable
@Mun's tool is more accurate, actually.