Limit Intranet Access by a Range of IP addresses 1

[wstran]

Greetings,

We would like to limit some IP addresses (from .130 to .245) to access our Intranet by editing our httpd.conf:

<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 192.168.10.130-245
</Directory>

However, we didn't see it worked because the PC with IP addresses out of the range (.130 to .145) still can access into our intranet. Is there anything else that we have to do? Please help, thanks!

 

[Noway2]

Stupid question, but did you either restart or do a force-reload on apache after making the changes?

 

[wstran]

Yes, we did restart apache and even reboot the server but the IP addresses outside the range still can access into our intranet. One thing we just wonder if the format "Allow from 192.168.10.130-.245" is correct. Thanks Noway2 for the suggestion.

 

[Noway2]

That is a good question. My feeling is that the answer is no. Take a look at this page:

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html.

What you could do, is specify the IP address with a CIDR mask. Pick the mask to allow only the range of IP addresses you want. Given that you want to start at 130 this may be a little difficult because you are specifying the number of bits to represent the network. Instead, pick 128 and above, then you can use /25 as a mask. This would then require an effective address of 192.168.10.128 and above.