Question about IP restriction in IIS6

[Desturel]

I'm use to administrating Apache servers not IIS so forgive me if I'm overlooking something obvious.

I have a site in IIS6 setup to deny all access except from two C class ranges. For example:

10.10.0.0 255.255.0.0
and
192.168.0.0 255.255.0.0

But I want to block a single IP address in the range again for example:

192.168.12.24

Is there anyway to do this in IIS? In apache I can do an allow for 192.168.12.0 - 192.168.12.23 and another allow for 192.168.12.25 - 192.168.12.255 or I could do an allow for all and then deny that single IP, but I don't see an option to do that through IIS.

I only see an option for allowing all from a range, entering in everything from a range one by one, or denying all from a range.

As you can imagine, doing one by one would be difficult. I'd have to enter in an allow for:
192.168.1.0
192.168.2.0
192.168.3.0

etc up to 12

Then I'd have to allow:
192.168.12.1
192.168.12.2
192.168.12.3
192.168.12.4

etc.

This isn't really an option with a range of IPs that could require up to 65535 variations. Especially if I want to add other IPs to the block in the future.

Again if I'm missing something obvious, please let me know. If all else fails, I can see if I can do something about the firewall, but since I don't directly control the firewall modifications, I don't want to have to request changes every time there is a problem.

 

[JDMnAR1]

Your best bet is to have the firewall rules written that block all traffic to your website not originating from your two defined networks, and then within IIS default to all traffic allowed except for specified IPs. You can then add your restricted IPs individually, and you won't have to modify the firewall rules as long as you don't change your allowed networks.

 

[Desturel]

Unfortunately requesting a block all causes just as many problems because the allowed IPs can rotate meaning we would need to make requests every time a new group comes in. I don't know all possible ranges that will be allowed access in the future, so I can't send a cover all list. Also I am very anti-hassle/red tape so I would like to avoid multiple requests if possible.

I actually wanted to setup a *nix gateway in front of the windows server, but was unable to get permission... I haven't tried asking about enabling windows firewall, but I guess I should do that. I'm not sure how well windows firewall works.

If this is not possible in IIS6, would you happen to know if they have an option for this in IIS7? I'm just trying to figure out what options I might have.

Thanks for your help.

 

[JDMnAR1]

I haven't done enough with IIS7 yet to know what, if anything, they changed in directory security based on IP address. Since you have a default all or none in IIS6, and you are limited on defnining exclusions, I havent' yet figured out an easy way for you to accomplish what it is you want.

If you have any control over IP address assignment (and I am guessing you don't based on your posts) you can make it so that all denied IPs would be in the same subnet on each network and deny access to each of those subnets.

 

[Desturel]

Nope, no access to IP assignment. I'm just the guy they say "get it done" to. Guess I'll just bite the bullet and start filling out firewall paperwork. As you can imagine, it's not my favorite thing to do.

Thanks again for your help.

 

[yoda291]

*COUGH*
you want to use the IP Security Policies off of MMC and create an IP policy that blocks packets with that destination IP.

more information :
http://technet2.microsoft.com/...90441033.mspx?mfr=true
should apply to all server 2k->2k8 OSes. PM me if you need help
*COUGH*

Man, I think I'm coming down with something. Just throat is so scratchy.

 

[Desturel]

Thanks for the link to IPsec on Windows firewall. As I mentioned I'm pretty new to the windows side of security so sometimes I overlook the obvious. I'll read through the site.