Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed

Get all IP ranges from an AS number

Published: 04-01-2015 | Author: Remy van Elst | Text only version of this article


❗ This post is over nine years old. It may no longer be up to date. Opinions may have changed.

One of my clients wanted to block a few social networking websites. Since they have no IPv6 (yet) I figured the simplest way was to block access to the entire IP range. This won't work for all the CDN networks they use, but it does get you started.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!

To find all the ranges beloning to an AS number you can query the whois.radb.net server with the AS number.

For Facebook for example:

whois -h whois.radb.net '!gAS32934'
A1063
204.15.20.0/22 69.63.176.0/20 66.220.144.0/20 66.220.144.0/21 69.63.184.0/21 69.63.176.0/21 74.119.76.0/22 69.171.255.0/24 173.252.64.0/18 69.171.224.0/19 69.171.224.0/20 103.4.96.0/22 69.63.176.0/24 173.252.64.0/19 173.252.70.0/24 31.13.64.0/18 31.13.24.0/21 66.220.152.0/21 66.220.159.0/24 69.171.239.0/24 69.171.240.0/20 31.13.64.0/19 31.13.64.0/24 31.13.65.0/24 31.13.67.0/24 31.13.68.0/24 31.13.69.0/24 31.13.70.0/24 31.13.71.0/24 31.13.72.0/24 31.13.73.0/24 31.13.74.0/24 31.13.75.0/24 31.13.76.0/24 31.13.77.0/24 31.13.96.0/19 31.13.66.0/24 173.252.96.0/19 69.63.178.0/24 31.13.78.0/24 31.13.79.0/24 31.13.80.0/24 31.13.82.0/24 31.13.83.0/24 31.13.84.0/24 31.13.85.0/24 31.13.86.0/24 31.13.87.0/24 31.13.88.0/24 31.13.89.0/24 31.13.90.0/24 31.13.91.0/24 31.13.92.0/24 31.13.93.0/24 31.13.94.0/24 31.13.95.0/24 69.171.253.0/24 69.63.186.0/24 31.13.81.0/24 179.60.192.0/22 179.60.192.0/24 179.60.193.0/24 179.60.194.0/24 179.60.195.0/24 185.60.216.0/22 45.64.40.0/22 204.15.20.0/22 69.63.176.0/20 69.63.176.0/21 69.63.184.0/21 66.220.144.0/20 69.63.176.0/20

For CloudVPS:

whois -h whois.radb.net '!gAS35470'
A248
194.60.207.0/24 79.170.88.0/21 89.31.96.0/21 217.170.21.0/24 193.138.204.0/22 178.18.80.0/20 31.3.96.0/21 141.138.192.0/20 212.32.226.0/24 37.34.48.0/21 37.230.96.0/21 93.191.128.0/21 185.21.188.0/22 213.187.240.0/21 85.222.224.0/21 185.3.208.0/22

To find an AS number, you can query this whois server with the IP address. Linode for example:

$ whois -h whois.radb.net  178.79.155.1
route:          178.79.128.0/18
descr:          Linode-2
origin:         AS15830
mnt-by:         Linode-mnt
changed:        tasaro@linode.com 20100510
source:         RIPE
remarks:        ****************************
remarks:        * THIS OBJECT IS NOT VALID
remarks:        * Please note that all personal data has been removed from this object.
remarks:        * To view the original object, please query the RIPE Database at:
remarks:        * http://www.ripe.net/whois
remarks:        ****************************

And then their AS number:

$ whois -h whois.radb.net '!gAS15830'
A3937
217.68.16.0/22 217.20.46.0/24 [...] 213.52.183.0/24 213.52.182.0/24 212.111.40.0/24

A block can then be issued with the following iptables command:

iptables -A INPUT -d 217.68.16.0/22 -j DROP

Where -d is the destination you want to make unreachable.

If you have the ipset extension enabled you can create a set of all the ranges:

ipset -N blocked_nets nethash
ipset -A blocked_nets 194.60.207.0/24
ipset -A blocked_nets 79.170.88.0/21
ipset -A blocked_nets 89.31.96.0/21
ipset -A blocked_nets 217.170.21.0/24
ipset -A blocked_nets 193.138.204.0/22
ipset -A blocked_nets 178.18.80.0/20
ipset -A blocked_nets 31.3.96.0/21
ipset -A blocked_nets 141.138.192.0/20
ipset -A blocked_nets 212.32.226.0/24
ipset -A blocked_nets 37.34.48.0/21
ipset -A blocked_nets 37.230.96.0/21
ipset -A blocked_nets 93.191.128.0/21
ipset -A blocked_nets 185.21.188.0/22
ipset -A blocked_nets 213.187.240.0/21
ipset -A blocked_nets 85.222.224.0/21
ipset -A blocked_nets 185.3.208.0/22

And create the rules to filter based on the ipset, which is faster when you have a large amount of IP's and ranges.

iptables -I INPUT -m set --match-set blocked_nets src,dst -j DROP
Tags: as , block , firewall , iptables , radb , ripe , snippets , whois