It is easy to block everything in the first octet, e.g.
64.233.160.0 – 64.233.160.255
with one single ip route command.

However, how do you block over two octets without issuing a separate command for every change in second octet ?

E.g., is there a single “ip route” command that will block all the addresses in the following range ?
64.233.160.0 – 64.233.191.255

I can do this with ip-tables, but ip tables becomes impossible to manage after it grows so I prefer an “ip route” option as answer as I have better ways to manage large amount of entries.

Loop into ipset https://wiki.archlinux.org/index.php/Ipset which we used to block many IPs effectively

Thanks. Unfortunately ipset doesnt seem to be able to block a range of ip addresses. Meaning e.g. All addresses from 64.10.0.0 – 64.255.255.255.

Convert that IP range to CIDR and we get

64.10.0.0/15
64.12.0.0/14
64.16.0.0/12
64.32.0.0/11
64.64.0.0/10
64.128.0.0/9

Block those either using iptables or ipset. Run ipcalc command to get those:

ipcalc 64.10.0.0 - 64.255.255.255

deaggregate 64.10.0.0 - 64.255.255.255
64.10.0.0/15
64.12.0.0/14
64.16.0.0/12
64.32.0.0/11
64.64.0.0/10
64.128.0.0/9

How to block it those CIDR?

Create a new list:

ipset -N myset nethash

Add any IP address that you’d like to block to the set.

ipset add myset 64.10.0.0/15
ipset add myset 64.12.0.0/14
ipset add myset 64.16.0.0/12
ipset add myset 64.32.0.0/11
ipset add myset 64.64.0.0/10
ipset add myset 64.128.0.0/9

Drop it:

iptables -I INPUT -m set --match-set myset src -j DROP

Thanks that works.
I was hoping for a command only with upper and lower block, but your solution is good enough.
I will write a script that accepts the two block bounds and it will then do all the ipset and iptables as you describe above.
Easy enough.

Excellent detailed answer Monk, thank you very much.

I marked @monk’s solution as accpted answer.

That is correct. Thanks.
The solution button I never noticed.
Must be a new thing?

yes, they add that recently.