Firewall Guides

Every ASN on the internet announces a set of CIDR prefixes — the IP ranges that belong to that network. asn.ipinfo.app exposes those prefix lists in formats ready to drop directly into your firewall, web server, or router config. Data is sourced from iptoasn.com via the Atlas service and is updated daily.

Common uses include blocking entire cloud provider ranges, restricting access to known ASNs, setting up BGP null-route communities (RTBH), and building automated threat intelligence feeds from AS reputation data.

All format endpoints follow the same pattern. Replace {format} with the format name and {asn} with the AS number (bare or AS-prefixed):

The /text/ tree returns plain text (one line per entry), useful for piping directly into bash. The /download/ tree is identical but adds Content-Disposition: attachment so browsers save it as a file. The /json/ tree wraps the list in a { name, type, list } envelope for programmatic use.

ipset is the recommended approach for large prefix lists on Linux. It's far more efficient than individual iptables rules — a 5,000-prefix ASN is a single hash lookup rather than 5,000 rule evaluations. The downloaded script creates two named sets (AS{n}-4 for IPv4, AS{n}-6 for IPv6) and populates them in one pass.

# Requires: ipset, iptables/ip6tables
curl -s https://asn.ipinfo.app/api/text/ipset/AS13335 | bash

# Drop all inbound traffic from Cloudflare (AS13335)
iptables  -I INPUT -m set --match-set AS13335-4 src -j DROP
ip6tables -I INPUT -m set --match-set AS13335-6 src -j DROP

for ASN in 13335 15169 16509; do
  curl -s "https://asn.ipinfo.app/api/text/ipset/AS${ASN}" | bash
done

# Wire all sets
for ASN in 13335 15169 16509; do
  iptables  -I INPUT -m set --match-set AS${ASN}-4 src -j DROP
  ip6tables -I INPUT -m set --match-set AS${ASN}-6 src -j DROP
done

The iptables format generates one rule per prefix. It works without ipset but is much slower to evaluate at scale — use ipset for ASNs with more than a few hundred prefixes. IPv6 prefixes automatically use ip6tables.

# Each prefix becomes an iptables INPUT DROP rule
curl -s https://asn.ipinfo.app/api/text/iptables/AS13335 | bash

curl -s https://asn.ipinfo.app/api/download/iptables/AS13335 \
  -o /etc/iptables/block-AS13335.rules

# Review, then apply
bash /etc/iptables/block-AS13335.rules

Blackhole routes install static routes with a blackhole nexthop, causing the kernel to silently discard all traffic to those prefixes. This operates at the routing layer (before netfilter) and is useful for high-volume DoS mitigation. It's also the building block for BGP RTBH (Remotely Triggered Black Hole) — announce the blackhole route to your upstream and they'll null-route the traffic before it reaches you.

# Installs: ip route add blackhole <prefix> for every prefix in AS13335
curl -s https://asn.ipinfo.app/api/text/ipblackhole/AS13335 | bash

# Removes all the routes added above
curl -s https://asn.ipinfo.app/api/text/ipblackholerem/AS13335 | bash

The nginx format generates deny directives, one per prefix. These can be included inside a geo block to set a variable, or placed directly in a location context to block access. Using geo is preferred for large lists because nginx compiles geo blocks into an efficient radix tree.

curl -s https://asn.ipinfo.app/api/text/nginx/AS13335 \
  -o /etc/nginx/asn/block-AS13335.conf

geo $block_as13335 {
    default 0;
    include /etc/nginx/asn/block-AS13335.conf;  # deny lines set geo var to 1
}

# Wait — the downloaded file uses `deny x.x.x.x/n;` syntax,
# not geo pairs. For a geo block use the list format instead:

# Plain CIDR list — one prefix per line
curl -s https://asn.ipinfo.app/api/text/list/AS13335 \
  | awk '{print $1, "1;"}' \
  > /etc/nginx/asn/geo-AS13335.conf

# Then in nginx.conf:
geo $block_as13335 {
    default 0;
    include /etc/nginx/asn/geo-AS13335.conf;
}

server {
    if ($block_as13335) { return 403; }
}

location / {
    include /etc/nginx/asn/block-AS13335.conf;
    allow all;
}

# Reload after updating
nginx -s reload

The htaccess format generates mod_access_compat deny rules, compatible with Apache 2.4 when the mod_access_compat module is enabled. The list always starts with Order Deny,Allow.

# Download and append to an existing .htaccess
curl -s https://asn.ipinfo.app/api/text/htaccess/AS13335 >> /var/www/html/.htaccess

Order Deny,Allow
Deny from 104.16.0.0/12
Deny from 172.64.0.0/13
Deny from 2606:4700::/32
...

The Cisco format generates object network statements for Cisco ASA. IPv4 entries use dotted-decimal subnet masks; IPv6 entries use CIDR notation. Objects are named sequentially: {asn}-4-SN0, {asn}-4-SN1, … for IPv4 and {asn}-6-SN0, … for IPv6.

curl -s https://asn.ipinfo.app/api/download/cisco/AS13335 \
  -o cisco_AS13335.txt

object network 13335-4-SN0
 subnet 104.16.0.0 255.240.0.0
object network 13335-4-SN1
 subnet 172.64.0.0 255.248.0.0
object network 13335-6-SN0
 subnet 2606:4700::/32
...

Paste the output into an ASDM text config import or an SSH session. After defining the objects, group them into an object-group network and reference it in your ACL.

The Juniper format generates set policy-options prefix-list statements. IPv4 prefixes are added to the {asn}v4 list; IPv6 prefixes go into {asn}v6.

# Download locally
curl -s https://asn.ipinfo.app/api/download/juniper/AS13335 \
  -o juniper_AS13335.txt

# Pipe into a JunOS commit session (adjust credentials/host)
{ echo "configure"; cat juniper_AS13335.txt; echo "commit"; } \
  | ssh user@router -T

set policy-options prefix-list 13335v4 104.16.0.0/12
set policy-options prefix-list 13335v4 172.64.0.0/13
set policy-options prefix-list 13335v6 2606:4700::/32
...

IP ranges for any given ASN change over time — cloud providers add and remove prefixes as they grow or reorganize. A daily cron job that re-fetches and re-applies the rules keeps your firewall current without manual intervention.

# /etc/cron.daily/refresh-asn-blocks  (chmod +x)
#!/bin/bash
set -euo pipefail

ASNS="13335 15169 16509"  # Cloudflare, Google, Amazon

for ASN in $ASNS; do
  # Flush the existing sets so removed prefixes don't linger
  ipset flush AS${ASN}-4 2>/dev/null || true
  ipset flush AS${ASN}-6 2>/dev/null || true

  # Re-create and populate from the live list
  curl -sf "https://asn.ipinfo.app/api/text/ipset/AS${ASN}" | bash
done

# Persist so rules survive reboot
ipset save > /etc/ipset.conf

# /etc/cron.daily/refresh-nginx-geo
#!/bin/bash
curl -sf https://asn.ipinfo.app/api/text/list/AS13335 \
  | awk '{print $1, "1;"}' \
  > /etc/nginx/asn/geo-AS13335.conf

nginx -t && nginx -s reload

A single script that handles multiple ASNs, with proper error handling and idempotent ipset management.

#!/bin/bash
# block-asns.sh — fetch ASN prefix lists and apply via ipset/iptables
# Usage: ./block-asns.sh 13335 15169 16509
# Requires: curl, ipset, iptables, ip6tables

set -euo pipefail

BASE="https://asn.ipinfo.app/api/text/ipset"

for ASN in "$@"; do
  echo "==> Blocking AS${ASN}..."

  # Flush existing sets (no-op if they don't exist yet)
  ipset flush  "AS${ASN}-4" 2>/dev/null || true
  ipset flush  "AS${ASN}-6" 2>/dev/null || true
  ipset destroy "AS${ASN}-4" 2>/dev/null || true
  ipset destroy "AS${ASN}-6" 2>/dev/null || true

  # Create sets and populate from live data
  curl -sf "${BASE}/AS${ASN}" | bash

  # Wire into iptables (idempotent — check-or-insert)
  iptables  -C INPUT -m set --match-set "AS${ASN}-4" src -j DROP 2>/dev/null \
    || iptables  -I INPUT -m set --match-set "AS${ASN}-4" src -j DROP
  ip6tables -C INPUT -m set --match-set "AS${ASN}-6" src -j DROP 2>/dev/null \
    || ip6tables -I INPUT -m set --match-set "AS${ASN}-6" src -j DROP

  echo "    Done ($(ipset list AS${ASN}-4 | grep -c '^[0-9]') IPv4 + $(ipset list AS${ASN}-6 | grep -c '^[0-9:]') IPv6 prefixes)"
done

ipset save > /etc/ipset.conf
echo "==> ipset rules saved."

ASN prefix lists are used across the security and networking community for everything from datacenter ingress filtering to home-lab threat intelligence feeds. Below are open source tools that embody the same use cases — blocking, monitoring, and automating around AS-level IP data.