Just a quick question, Is there a singular complete list of NZ ip range?? I am wanting to allow only NZ traffic access to servers. Thanks James Guidera Systems Engineer Miracle Electronics Ltd Ph:+64-4-385-1293 Cel: +64-21-705-614
I got this script from Paul of linuxsystems, grabs the APNIC IP database and compiles a list of NZ ip ranges: #!/usr/local/bin/php <?php $in_file = "ftp://ftp.apnic.net/pub/apnic/dbase/data/country-ipv4.lst"; // $in_file = "country-ipv4.lst"; $out_file = "nzipranges.txt"; $handle_input = @fopen($in_file,"r") or die("Unable to open $in_file\n\n"); $handle_output = fopen($out_file, "w"); $now = date ("r"); fwrite ($handle_output,"# Generated: $now\n\n"); while (!feof($handle_input)) { $buffer = fgets($handle_input); if ( ereg ( "nz", $buffer) ) { // echo $buffer; $this_range = trim(preg_replace ( "#([\d\.]+) \- [\d\.]+ : [\d\.]+(\/\d+) .+#","$1$2", $buffer )); fwrite ($handle_output,"\n" . $this_range); } } fclose($handle_input); fwrite ($handle_output,"\n"); fclose($handle_output); ?> ----- Original Message ----- From: James J. Guidera To: NZNOG(a)list.waikato.ac.nz Sent: Thursday, June 30, 2005 9:00 AM Subject: [nznog] NZ IP-Range Just a quick question, Is there a singular complete list of NZ ip range?? I am wanting to allow only NZ traffic access to servers. Thanks James Guidera Systems Engineer Miracle Electronics Ltd Ph:+64-4-385-1293 Cel: +64-21-705-614 ------------------------------------------------------------------------------ _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Barry Murphy wrote:
I got this script from Paul of linuxsystems, grabs the APNIC IP database and compiles a list of NZ ip ranges:
[trim script] NB: This will not always work properly, in the case of multinationals that use IP space obtained through a single large registration that do not record their re-delegation information properly, or who have not chosen to make it public. For example, Stuff lives in 202.135.111.0/24. According to APNIC's DB, the closest match is the /16 supernet, which: % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 202.135.0.0 - 202.135.255.255 netname: ATT-OPENNET-AP descr: Asia Pacific Operations descr: AT&T Global Network Services Japan LLC descr: Tokyo country: JP There are a couple of other exceptions where this also won't work as well. aj
Maxnet have a nice list online: http://noc.maxnet.net.nz/nationalroutes/ Cheers, Jon -----Original Message----- From: James J. Guidera [mailto:james(a)miracle.co.nz] Sent: Thursday, 30 June 2005 9:00 a.m. To: NZNOG(a)list.waikato.ac.nz Subject: [nznog] NZ IP-Range Just a quick question, Is there a singular complete list of NZ ip range?? I am wanting to allow only NZ traffic access to servers. Thanks James Guidera Systems Engineer Miracle Electronics Ltd Ph:+64-4-385-1293 Cel: +64-21-705-614
On Thu, 30 Jun 2005 09:00, James J. Guidera wrote:
Just a quick question,
Is there a singular complete list of NZ ip range?? I am wanting to allow only NZ traffic access to servers.
/usr/bin/wget ftp://ftp.apnic.net/pub/apnic/dbase/data/country-ipv4.lst -O /tmp/country-ipv4.lst for NZIP in `cat /tmp/country-ipv4.lst |grep nz | awk '{print $5}'` ; do echo Allowing ${NZIP} ${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 -s $NZIP -j TCPACCEPT done Probably an easier way to do it somewhere, but that works for me ;] Liz
Thanks
James Guidera
Systems Engineer
Miracle Electronics Ltd
Ph:+64-4-385-1293
Cel: +64-21-705-614
-- It's been discovered that research causes cancer in rats.
An idea is to get a bgp feed from your isp and use something like this (I
use FreeBSD so ipfw in my case, however you could use it for a .htaccess or
anything)
Once your BGP is established, run:
vtysh -e "show ip bgp" > /root/scripts/bgproutes.txt
################
#!/bin/sh
for i in `cat /root/scripts/bgproutes.txt | grep -v 0.0.0.0 |awk
'{print($2)}' | grep -v "127.0.0.1" | grep -v "1996-200" | grep "[0-255]." `
; do
ipfw add 01002 deny ip from $i to any in
done
################
With a few changes of the above script you could get a .htaccess file in the
below format:
<Limit GET POST>
order deny,allow
deny from all
allow from $i
</Limit>
Barry
----- Original Message -----
From: "Liz Q"
On Thu, 30 Jun 2005 09:00, James J. Guidera wrote:
Just a quick question,
Is there a singular complete list of NZ ip range?? I am wanting to allow only NZ traffic access to servers.
/usr/bin/wget ftp://ftp.apnic.net/pub/apnic/dbase/data/country-ipv4.lst -O /tmp/country-ipv4.lst
for NZIP in `cat /tmp/country-ipv4.lst |grep nz | awk '{print $5}'` ; do echo Allowing ${NZIP} ${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 -s $NZIP -j TCPACCEPT
done
Probably an easier way to do it somewhere, but that works for me ;]
Liz
Thanks
James Guidera
Systems Engineer
Miracle Electronics Ltd
Ph:+64-4-385-1293
Cel: +64-21-705-614
-- It's been discovered that research causes cancer in rats.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Just be aware that these solutions will give you a list of "NZ IP Ranges" but may not be New Zealand based netwise. If you are looking for traffic originating in NZ and not traversing any international links then thats an entirely different story and only your ISP can provide you with this. If this is a bill saving exercise then it may pay to be a little prudent. -- Steve. On Thu, 30 Jun 2005, James J. Guidera wrote:
Just a quick question,
Is there a singular complete list of NZ ip range?? I am wanting to allow only NZ traffic access to servers.
Thanks
James Guidera
Systems Engineer
Miracle Electronics Ltd
Ph:+64-4-385-1293
Cel: +64-21-705-614
Steve Phillips wrote:
Just be aware that these solutions will give you a list of "NZ IP Ranges" but may not be New Zealand based netwise.
If you are looking for traffic originating in NZ and not traversing any international links then thats an entirely different story and only your ISP can provide you with this.
If this is a bill saving exercise then it may pay to be a little prudent.
I echo Steve's warning. It really depends how relaible you need the data to be. Back in the days when everything went throug NZGate at Waikato they kept lists of NZ addresses based upon the BGP tables. These contain quite a few small blocks of non NZ addresses -- mainly belonging to large multination companies and Telcos. I imagine it has got worse not better. If accuracy is crucial then you really need something based on the routing tables that gets updated frequently. Russell
"James J. Guidera"
Just a quick question,
Is there a singular complete list of NZ ip range?? I am wanting to allow only NZ traffic access to servers.
nz.countries.nerd.dk is a DNSBL-type list - I think there is a mod_dnsbl for apache which will allow you to query this kind of list and do accept/reject based on the results. I'm not sure how accurate the list is, and their DNS for the website seems to be down at the moment. cheers, Jamie -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/
On Thu, 30 Jun 2005 10:47, James Riden wrote:
nz.countries.nerd.dk is a DNSBL-type list - I think there is a mod_dnsbl for apache which will allow you to query this kind of list and do accept/reject based on the results.
I'm not sure how accurate the list is, and their DNS for the website seems to be down at the moment.
Sounds handy. You could probably even write a quick perl or c program using libgeoip[1] or a perl module[2] . Although i havnt looked into how they get their country name from the ip (it may be similar to the apnic lists and not work for some people) Liz [1] http://www.maxmind.com/app/c [2] http://search.cpan.org/search?query=geoip&mode=all -- I started out with nothing, and I still have most of it.
James J. Guidera wrote:
Just a quick question,
Is there a singular complete list of NZ ip range?? I am wanting to allow only NZ traffic access to servers.
Drew keeps a list on nzip.meta.net.nz that he keeps up to date. It's available in a variety of formats including XML and as a SOAP webservice. He collates the information from multiple sources most of which have been mentioned here. However you have to ask what you are trying to achieve. If you are doing this because your ISP provides cheaper national traffic then you might be in for a surprise come the end of month billing as most ISP's don't think "national" necessarily means "NZ".
participants (9)
-
Alastair Johnson -
Barry Murphy -
James J. Guidera -
James Riden -
Jonathan Brewer -
Liz Q -
Perry Lorier -
Russell Fulton -
Steve Phillips