"ip route" how to block a large range of Ip's on Linux

It is easy to block everything in the first octet, e.g. –
with one single ip route command.

However, how do you block over two octets without issuing a separate command for every change in second octet ?

E.g., is there a single “ip route” command that will block all the addresses in the following range ? –

I can do this with ip-tables, but ip tables becomes impossible to manage after it grows so I prefer an “ip route” option as answer as I have better ways to manage large amount of entries.

Loop into ipset https://wiki.archlinux.org/index.php/Ipset which we used to block many IPs effectively

Thanks. Unfortunately ipset doesnt seem to be able to block a range of ip addresses. Meaning e.g. All addresses from –

Convert that IP range to CIDR and we get

Block those either using iptables or ipset. Run ipcalc command to get those:

ipcalc -
deaggregate -

How to block it those CIDR?

Create a new list:

ipset -N myset nethash

Add any IP address that you’d like to block to the set.

ipset add myset
ipset add myset
ipset add myset
ipset add myset
ipset add myset
ipset add myset

Drop it:

iptables -I INPUT -m set --match-set myset src -j DROP

Thanks that works.
I was hoping for a command only with upper and lower block, but your solution is good enough.
I will write a script that accepts the two block bounds and it will then do all the ipset and iptables as you describe above.
Easy enough.

Excellent detailed answer Monk, thank you very much.

I marked @monk’s solution as accpted answer.

That is correct. Thanks.
The solution button I never noticed.
Must be a new thing?

yes, they add that recently.

Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki