9

I read the guide from apache site but I'm a bit confused, I'm trying to ban some ranges using this syntax:

order allow,deny
deny from 127.0.55.0/127.0.75.255
deny from 127.0.235.0/127.0.255.255
allow from all

But I think it's not working properly, probably the syntax is wrong or I'm using it in the wrong way, where should I write this text in htaccess? before the other lines or after? in the same htaccess file there're some mod rewrite script too (for anti-hotlinking).

Arco
  • 103
  • 1
  • 1
  • 6

2 Answers2

14

I've come to this answer using apache documentation.

You can give an address range using ip/netmask pair : 

deny from 127.0.55.0/24

However, since range 55 - 75 are not power of two, I don't see how to make a range out of them. I'd add several rules.

order allow,deny
deny from 127.0.55.0/24  // Matches 55
deny from 127.0.56.0/21  // Matches 56 to 64
deny from 127.0.64.0/21  // Matches 64 to 71
deny from 127.0.72.0/22  // Matches 72 to 75

deny from 127.0.235.0/24 // Matches 235
deny from 127.0.236.0/22 // Matches 236 to 239
deny from 127.0.240.0/21 // Matches 240 to 255
allow from all

should work.

NB: Remove the comments after // before pasting into htaccess

d-stroyer
  • 2,638
  • 2
  • 19
  • 31
  • I'm a bit newbie about IPs and htaccess, I thought the numbers in an IP are in ascending order, like: 127.0.55.0, 127.0.55.1, 127.0.55.2 etc, or it's not like that? – Arco Aug 22 '13 at 13:20
  • Sure it is. What I wrote in my answer are IP/Netmask pairs. A netmask allows grouping IP addresses (like a filter or a regexp does on text, the netmask does on the IP address). so 127.0.55.0/255.255.255.0 matches 127.0.55.* ; while 127.0.56.0/255.255.248.0 matches 127.0.64.0 to 127.0.71.255 – d-stroyer Aug 23 '13 at 11:50
  • 1
    For more explanation : [here](http://www.dslreports.com/faq/15216) is some step-by-step on calculating a subnet mask. – d-stroyer Aug 23 '13 at 11:52
  • I tested this method but htaccess keeps ignoring the IPs, then I used a CIDR converter and this format is working now: deny from 127.0.55.0/24 deny from 127.0.56.0/21 deny from 127.0.64.0/21 deny from 127.0.72.0/22 – Arco Aug 23 '13 at 13:28
  • @KyousukeKyaa Thanks. I updated my answer to match your experience - for the record. – d-stroyer Aug 23 '13 at 14:11
  • 2
    On apache 2.4 `deny from` as been changed by `Require not ip` sources : https://httpd.apache.org/docs/2.4/fr/howto/access.html – Froggiz Nov 20 '15 at 10:30
0
order allow,deny
deny from 2001:4200::/32
deny from 2001:4210::/32
deny from 2001:4218::/32
deny from 2001:4220::/32
deny from 2001:4228::/32
deny from 2001:4238::/32
deny from 2001:4248::/32
deny from 2001:4250::/32
allow from all

along these lines how to add a redirect to another website for a very long deny list that blocks a lot of countries in htaccess

dkerr
  • 11
  • 1