# How to ban a block of IPs with 'route add'



## Gio01 (Oct 1, 2011)

Hi, i want to block a certain class of IPs on my server using *route add*. I know how to ban a single IP but not in a block.
Example 0.0.0.0-1.1.1.1, like that. How to?

Thank you


----------



## draco003 (Oct 1, 2011)

Hey Gio01,

In order to specify a range of IP addresses you would use netmask option in the route command 

an example:

`$ route ADD 192.168.1.0 [color="red"]MASK[/color] [color="Red"]255.255.255.0[/color] 192.168.1.1`

this would match ip range from 192.168.1.0 - 192.168.1.255


Another approach would be to specify a CIDR (Classless Inter-Domain Routing) like this:

`$ route ADD 192.168.1.0/24`

this will match ip range from 192.168.1.0- 192.168.1.255

You need to read more about Subnetting and CIDR 


*References:*

Wiki: Subnetting
Similar Question on Superuser.com
Conversion Tool from IP to CIDR and vice versa
IP Address Subnetting Tutorial


----------



## gkontos (Oct 1, 2011)

If I may add, modifying routing tables to block certain networks is not a proper way.
You are not blocking any traffic this way. You are just fooling your gateway into sending packets somewhere else other than their proper destination.  

Use PF, IPFW or any other packet filtering firewall for this.

George


----------



## draco003 (Oct 1, 2011)

I agree with you George 

Just wanted to point Gio01 on using the subnetting technique as it might be helpful in some other configurations.


----------



## aragon (Oct 1, 2011)

Actually most routers have a blackholing feature which can be used to drop traffic based on its destination address, including FreeBSD:

`# route add -net 192.168.0.0/24 -blackhole`


----------



## ecazamir (Oct 5, 2011)

gkontos said:
			
		

> If I may add, modifying routing tables to block certain networks is not a proper way.
> You are not blocking any traffic this way. You are just fooling your gateway into sending packets somewhere else other than their proper destination.
> 
> Use PF, IPFW or any other packet filtering firewall for this.
> ...



It may be wrong, unless the device used as target is the discard device:
To block communication with 1.2.3.0/24, the following code is fine, it will block any outgoing packet to the specified network:

```
/sbin/ifconfig disc0 create
/sbin/route add -net 1.2.3.0/24 -iface disc0
```


----------

