XT IP Range

Forums › Spark New Zealand › XT IP Range

tcpdump

311 posts

Ultimate Geek
+1 received by user: 3

Topic # 96648 1-Feb-2012 11:02

Hello,

Does anyone know the IP range that's allocated to XT Mobile connections?
I want to put an exception into the firewall to allow connections from my mobile without port knocking.
So far I've seen that they have (at least) 115.189.0.0/16 but this is likely to be used by xtra or other parts as well.

Thanks.

johnr

19282 posts

Uber Geek
+1 received by user: 2600
Inactive user

Reply # 575773 1-Feb-2012 11:03

Not a good idea as the IP range is not static

John

plambrechtsen

1948 posts

Uber Geek
+1 received by user: 469
Inactive user

Reply # 575777 1-Feb-2012 11:06

There is this old blog post from NealR.

But I am not sure if it has changed / been updated for a while. Will go and ask him.

tcpdump

311 posts

Ultimate Geek
+1 received by user: 3

Reply # 575786 1-Feb-2012 11:15

Great stuff, thank you.

It's not a big deal if some subnets change as I also have port knocknig enabled if I get an IP address from a new subnet.
I'm not too concerned about security implications as I'll only allow ssh and it's extremely unlikely to have brute force attacks from XT phones. Also, fail2ban will do its job if need be.

Thanks again, if you have an update on the subnet list posted above it would be appreciated.

plambrechtsen

1948 posts

Uber Geek
+1 received by user: 469
Inactive user

Reply # 575792 1-Feb-2012 11:38

Neal said he tries to keep it up to date however this is done on a best efforts basis so you should assume it could radically change without warning.

tcpdump

311 posts

Ultimate Geek
+1 received by user: 3

Reply # 575795 1-Feb-2012 11:39

Understood, thanks again.

Zeon

3430 posts

Uber Geek
+1 received by user: 419

Trusted

Reply # 575797 1-Feb-2012 11:47

TBH this is a dumb idea as the ranges could change without warning. If you want to do this then get a static IP.

Fail2ban should be good enough....

tcpdump

311 posts

Ultimate Geek
+1 received by user: 3

Reply # 575798 1-Feb-2012 11:51

As I said earlier, I have a port-knocking solution in place. The allowing of the range saves me a click to launch the 'knock app'. If the range changes, I just launch the knock app and that's that.

Not sure if (how) I can get a static IP on my XT-Mobile.

plambrechtsen

1948 posts

Uber Geek
+1 received by user: 469
Inactive user

Reply # 575801 1-Feb-2012 11:55

tcpdump: As I said earlier, I have a port-knocking solution in place. The allowing of the range saves me a click to launch the 'knock app'. If the range changes, I just launch the knock app and that's that.

Not sure if (how) I can get a static IP on my XT-Mobile.

You can get a Private APN. But that comes at a cost.

Ragnor

8029 posts

Uber Geek
+1 received by user: 387

Trusted

Subscriber

Reply # 575857 1-Feb-2012 13:20

Why not just setup a vpn, most smartphone support various vpn connection options.

tcpdump

311 posts

Ultimate Geek
+1 received by user: 3

Reply # 575859 1-Feb-2012 13:23

The firewall is denying everything, including VPN. After a successful knock (or if the IP address/range is in a whitelist) ssh/vpn is being allowed.

Yes, I can be even more paranoid if required ;)

Ragnor

8029 posts

Uber Geek
+1 received by user: 387

Trusted

Subscriber

Reply # 575863 1-Feb-2012 13:27

Hah fair enough!