Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IP Calculators

Status
Not open for further replies.

SgtZim

MIS
Dec 2, 2002
18
US
Im running a postfix mail server on linux and have a need to take one IP address out of my trusted network to prevent relaying. So far as I can tell, postfix only knows what networds are trusted and doesnt have a way to explicitly not trust one. Here is the root of my problem. I need to trust 172.19.99.* all except 172.19.99.105

Is there any types of calculator out there that will tell me how to break this up easily? The way I did this before on a machine I needed to deny 172.19.64.1 and .2 on was to trust only:
172.19.64.3
172.19.64.4/30
172.19.64.8/29
172.19.64.16/28
172.19.64.32/27
172.19.64.64/26
172.19.64.128/25
This seems very cumbersome and Im hoping there is an easier way that Ive missed.
 
Go to solarwinds.net. They have a free subnet calculator.
 
I'm not quite sure I'm understanding all your notation here.

Do you have "x" machines on the 172.19.99.0 (mask 255.255.255.0)network and you want to deny a single machine, 172.19.99.105 from the mail server?

If this is the case, Then you can subnet the 172.19.99.0 network in to two. You will have subnet 172.19.99.0 mask 255.255.255.128 and subnet 172.19.99.128 mask 255.255.255.128. Your valid IP range for the first will be 172.19.99.1 - 172.19.99.125 and the range for the second will be 172.19.99.129 - 172.19.99.254. This was you can allow on subnet and deny the other.

HTH

 
Thanks for the replies, both give me more insight into how I need to do this. You are correct in that I need to allow everything on 172.19.99 and block 172.19.99.105. The 105 machine is the IP of the firewall and by taking 105 out of my trusted network it will prevent mail relay and allow the IP addresses of my internal clients to relay mail to outside email addresses. It doesnt appear that there is a simple way to really allow 172.19.99.0 - 104 and 106 - 255 just keeping 105 out without really chopping up the trusted network masks. Here is what ive come up with to be trusted:

172.19.99.32/27 allows .32 - .63 (subnet 255.255.255.224)
172.19.99.64/27 allows .64 - .95 (subnet 255.255.255.224)
172.19.99.96/29 allows .96 - .103 (subnet 255.255.255.248)
172.19.99.104 allows .104
172.19.99.106/31 allows .106 - .107(subnet 255.255.255.254)
172.19.99.108/30 allows .108 - .111(subnet 255.255.255.252)
172.19.99.112/28 allows .112 - .127(subnet 255.255.255.240)
172.19.99.128/24 allows .128 - .255(subnet 255.255.255.128)

I inherited this network and didnt have any say as to what whas assigned what IP when it was built or I would have just stuck the gateway into its own little world instead of having it smack in the middle of everything.
 
You may just want to add a reference in /etc/hosts.deny like this:

smtp : 172.19.99.105/255.255.255.255

It should block any connections to your machine from that host to your smtp port.
pansophic
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top