How to Block Comcast Nodes

So we know comcast messes with internet traffic. We know they own and definitely slow down their fiber nodes when non comcast traffic passes through their network. How about we just end that fiasco. Here is a quick way to end that using IPtables as our firewall

This can be entered on any router and any linux system with IPtables which makes it so versatile

YMMV with this block but no services I use ever are hosted on the IP ranges. They do run through them which can noticeably throttle netflix and other streaming services. Thats annoying isnt it. Another service provider has the audacity to slow YOUR connection down.

Thankfully Comcast does regularly update their dynamic IP space found here

https://postmaster.comcast.net/dynamic-IP-ranges.html

What to do now? Make a script containing the following and reap the benefits if there are any. it could just be a placebo but tbch it makes me happy while I surf the internet knowing my traffic isnt touching their servers or being slowed down by them

THIS WILL NOT WORK IF YOU USE COMCAST please dont block your own provider.

  DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
                    Version 2, December 2004 

 Copyright (C) 2004 Sam Hocevar <[email protected]> 

 Everyone is permitted to copy and distribute verbatim or modified 
 copies of this license document, and changing it is allowed as long 
 as the name is changed. 

            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 

  0. You just DO WHAT THE FUCK YOU WANT TO.
  1. Author -- HEIMDALLR
  
iptables -I FORWARD -s 24.0.0.0/12 -j REJECT
iptables -I FORWARD -s 24.16.0.0/13 -j REJECT
iptables -I FORWARD -s 24.30.0.0/17 -j REJECT
iptables -I FORWARD -s 24.34.0.0/16 -j REJECT
iptables -I FORWARD -s 24.60.0.0/14 -j REJECT
iptables -I FORWARD -s 24.91.0.0/16 -j REJECT
iptables -I FORWARD -s 24.98.0.0/15 -j REJECT
iptables -I FORWARD -s 24.118.0.0/16 -j REJECT
iptables -I FORWARD -s 24.125.0.0/16 -j REJECT
iptables -I FORWARD -s 24.126.0.0/15 -j REJECT
iptables -I FORWARD -s 24.128.0.0/16 -j REJECT
iptables -I FORWARD -s 24.129.0.0/17 -j REJECT
iptables -I FORWARD -s 24.130.0.0/15 -j REJECT
iptables -I FORWARD -s 24.147.0.0/16 -j REJECT
iptables -I FORWARD -s 24.218.0.0/16 -j REJECT
iptables -I FORWARD -s 24.245.0.0/18 -j REJECT
iptables -I FORWARD -s 50.128.0.0/10 -j REJECT
iptables -I FORWARD -s 65.34.128.0/17 -j REJECT
iptables -I FORWARD -s 65.96.0.0/16 -j REJECT
iptables -I FORWARD -s 66.30.0.0/15 -j REJECT
iptables -I FORWARD -s 66.41.0.0/16 -j REJECT
iptables -I FORWARD -s 66.56.0.0/18 -j REJECT
iptables -I FORWARD -s 66.176.0.0/15 -j REJECT
iptables -I FORWARD -s 66.229.0.0/16 -j REJECT
iptables -I FORWARD -s 67.160.0.0/12 -j REJECT
iptables -I FORWARD -s 67.176.0.0/15 -j REJECT
iptables -I FORWARD -s 67.180.0.0/14 -j REJECT
iptables -I FORWARD -s 67.184.0.0/13 -j REJECT
iptables -I FORWARD -s 68.32.0.0/11 -j REJECT
iptables -I FORWARD -s 68.80.0.0/14 -j REJECT
iptables -I FORWARD -s 68.84.0.0/16 -j REJECT
iptables -I FORWARD -s 69.136.0.0/15 -j REJECT
iptables -I FORWARD -s 69.138.0.0/16 -j REJECT
iptables -I FORWARD -s 69.139.0.0/17 -j REJECT
iptables -I FORWARD -s 69.140.0.0/14 -j REJECT
iptables -I FORWARD -s 69.180.0.0/15 -j REJECT
iptables -I FORWARD -s 69.242.0.0/15 -j REJECT
iptables -I FORWARD -s 69.244.0.0/14 -j REJECT
iptables -I FORWARD -s 69.248.0.0/14 -j REJECT
iptables -I FORWARD -s 69.253.0.0/16 -j REJECT
iptables -I FORWARD -s 69.254.0.0/15 -j REJECT
iptables -I FORWARD -s 71.56.0.0/13 -j REJECT
iptables -I FORWARD -s 71.192.0.0/12 -j REJECT
iptables -I FORWARD -s 71.224.0.0/12 -j REJECT
iptables -I FORWARD -s 73.0.0.0/8 -j REJECT
iptables -I FORWARD -s 75.64.0.0/13 -j REJECT
iptables -I FORWARD -s 75.72.0.0/15 -j REJECT
iptables -I FORWARD -s 75.74.0.0/16 -j REJECT
iptables -I FORWARD -s 75.75.0.0/17 -j REJECT
iptables -I FORWARD -s 75.75.128.0/18 -j REJECT
iptables -I FORWARD -s 76.16.0.0/12 -j REJECT
iptables -I FORWARD -s 76.97.0.0/16 -j REJECT
iptables -I FORWARD -s 76.98.0.0/15 -j REJECT
iptables -I FORWARD -s 76.100.0.0/14 -j REJECT
iptables -I FORWARD -s 76.104.0.0/13 -j REJECT
iptables -I FORWARD -s 76.112.0.0/12 -j REJECT
iptables -I FORWARD -s 98.192.0.0/13 -j REJECT
iptables -I FORWARD -s 98.200.0.0/14 -j REJECT
iptables -I FORWARD -s 98.204.0.0/16 -j REJECT
iptables -I FORWARD -s 98.206.0.0/15 -j REJECT
iptables -I FORWARD -s 98.208.0.0/12 -j REJECT
iptables -I FORWARD -s 98.224.0.0/12 -j REJECT
iptables -I FORWARD -s 98.240.0.0/16 -j REJECT
iptables -I FORWARD -s 98.242.0.0/15 -j REJECT
iptables -I FORWARD -s 98.244.0.0/14 -j REJECT
iptables -I FORWARD -s 98.248.0.0/13 -j REJECT
iptables -I FORWARD -s 107.2.0.0/15 -j REJECT
iptables -I FORWARD -s 107.4.0.0/15 -j REJECT
iptables -I FORWARD -s 174.48.0.0/12 -j REJECT
iptables -I OUTPUT -s 24.0.0.0/12 -j REJECT
iptables -I OUTPUT -s 24.16.0.0/13 -j REJECT
iptables -I OUTPUT -s 24.30.0.0/17 -j REJECT
iptables -I OUTPUT -s 24.34.0.0/16 -j REJECT
iptables -I OUTPUT -s 24.60.0.0/14 -j REJECT
iptables -I OUTPUT -s 24.91.0.0/16 -j REJECT
iptables -I OUTPUT -s 24.98.0.0/15 -j REJECT
iptables -I OUTPUT -s 24.118.0.0/16 -j REJECT
iptables -I OUTPUT -s 24.125.0.0/16 -j REJECT
iptables -I OUTPUT -s 24.126.0.0/15 -j REJECT
iptables -I OUTPUT -s 24.128.0.0/16 -j REJECT
iptables -I OUTPUT -s 24.129.0.0/17 -j REJECT
iptables -I OUTPUT -s 24.130.0.0/15 -j REJECT
iptables -I OUTPUT -s 24.147.0.0/16 -j REJECT
iptables -I OUTPUT -s 24.218.0.0/16 -j REJECT
iptables -I OUTPUT -s 24.245.0.0/18 -j REJECT
iptables -I OUTPUT -s 50.128.0.0/10 -j REJECT
iptables -I OUTPUT -s 65.34.128.0/17 -j REJECT
iptables -I OUTPUT -s 65.96.0.0/16 -j REJECT
iptables -I OUTPUT -s 66.30.0.0/15 -j REJECT
iptables -I OUTPUT -s 66.41.0.0/16 -j REJECT
iptables -I OUTPUT -s 66.56.0.0/18 -j REJECT
iptables -I OUTPUT -s 66.176.0.0/15 -j REJECT
iptables -I OUTPUT -s 66.229.0.0/16 -j REJECT
iptables -I OUTPUT -s 67.160.0.0/12 -j REJECT
iptables -I OUTPUT -s 67.176.0.0/15 -j REJECT
iptables -I OUTPUT -s 67.180.0.0/14 -j REJECT
iptables -I OUTPUT -s 67.184.0.0/13 -j REJECT
iptables -I OUTPUT -s 68.32.0.0/11 -j REJECT
iptables -I OUTPUT -s 68.80.0.0/14 -j REJECT
iptables -I OUTPUT -s 68.84.0.0/16 -j REJECT
iptables -I OUTPUT -s 69.136.0.0/15 -j REJECT
iptables -I OUTPUT -s 69.138.0.0/16 -j REJECT
iptables -I OUTPUT -s 69.139.0.0/17 -j REJECT
iptables -I OUTPUT -s 69.140.0.0/14 -j REJECT
iptables -I OUTPUT -s 69.180.0.0/15 -j REJECT
iptables -I OUTPUT -s 69.242.0.0/15 -j REJECT
iptables -I OUTPUT -s 69.244.0.0/14 -j REJECT
iptables -I OUTPUT -s 69.248.0.0/14 -j REJECT
iptables -I OUTPUT -s 69.253.0.0/16 -j REJECT
iptables -I OUTPUT -s 69.254.0.0/15 -j REJECT
iptables -I OUTPUT -s 71.56.0.0/13 -j REJECT
iptables -I OUTPUT -s 71.192.0.0/12 -j REJECT
iptables -I OUTPUT -s 71.224.0.0/12 -j REJECT
iptables -I OUTPUT -s 73.0.0.0/8 -j REJECT
iptables -I OUTPUT -s 75.64.0.0/13 -j REJECT
iptables -I OUTPUT -s 75.72.0.0/15 -j REJECT
iptables -I OUTPUT -s 75.74.0.0/16 -j REJECT
iptables -I OUTPUT -s 75.75.0.0/17 -j REJECT
iptables -I OUTPUT -s 75.75.128.0/18 -j REJECT
iptables -I OUTPUT -s 76.16.0.0/12 -j REJECT
iptables -I OUTPUT -s 76.97.0.0/16 -j REJECT
iptables -I OUTPUT -s 76.98.0.0/15 -j REJECT
iptables -I OUTPUT -s 76.100.0.0/14 -j REJECT
iptables -I OUTPUT -s 76.104.0.0/13 -j REJECT
iptables -I OUTPUT -s 76.112.0.0/12 -j REJECT
iptables -I OUTPUT -s 98.192.0.0/13 -j REJECT
iptables -I OUTPUT -s 98.200.0.0/14 -j REJECT
iptables -I OUTPUT -s 98.204.0.0/16 -j REJECT
iptables -I OUTPUT -s 98.206.0.0/15 -j REJECT
iptables -I OUTPUT -s 98.208.0.0/12 -j REJECT
iptables -I OUTPUT -s 98.224.0.0/12 -j REJECT
iptables -I OUTPUT -s 98.240.0.0/16 -j REJECT
iptables -I OUTPUT -s 98.242.0.0/15 -j REJECT
iptables -I OUTPUT -s 98.244.0.0/14 -j REJECT
iptables -I OUTPUT -s 98.248.0.0/13 -j REJECT
iptables -I OUTPUT -s 107.2.0.0/15 -j REJECT
iptables -I OUTPUT -s 107.4.0.0/15 -j REJECT
iptables -I OUTPUT -s 174.48.0.0/12 -j REJECT

Dont want to scroll through that. here is a text file with the same list of blocked ranges.

firewallAntiComCast.txt (6.9 KB)

Done. This is also probably your first look at a blocking ranges with IPtables. Doesnt hurt to get your feet wet

By the way anytime you need a paste bin. this is the best one I have used

https://0bin.net/

Wouldn’t this only block it when you are directly connecting to those IP? I am thinking the traffic will still go though those nodes if any other node you are connecting to is peering with Comcast.

is this for blocking tor nodes? i ask because once traffic leaves your computer you have no control over routing, other than specifying its final destination.
i like the license .

Basically it has to do with hops. Its more than direct connect… If you monitor your Hops with a traceroute youll notice you can no longer perform the hop to a comcast server node

No this is literally for blocking all comcast related services out of your netflix stream etc

Nice touch @HEXcellerate

My grammar-Nazism got the best of me.

It happens to all us level 3s we can’t help it haha

No… all this does is blocking the ping packets from your IP to that IP when traceroute pings that node, but you have no control over that as you are sending a request to the node you are directly connected to(which is usually your home router) then your router decides what to do with that based on its own set of rules. Usually it sends it to your ISPs node after receiving your packet.

Then your ISPs node decides what to do with the packet and so on and so forth. In short, if you want to block some node and you are not directly connected to it, it has to be done by the node that forwards your packet to that node.

You can try to use some VPN service that might be using its own nodes to route traffic and then you can bypath Comcast this way. But otherwise you have no control.

Could block CDNs that use the nodes too… Would that be more effective?

Then it would just break the content itself probably. I know you can trick your browser into loading CDN content like javascript libraries into loading from your hard drive instead of downloading it from Google every time.(or some other CDN) But really there is no way around it except using VPN.

Thats a pretty abysmal way of looking at it… Ive blocked a lot of CDNs before without breakage

Then you probably didn’t really block them fully or you blocked just one IP range for example out of the possible three(as an example) for that CDN, so it just offloaded to a different IP.

Ive blocked them via other means past IPs man this guide wasnt for that

this is correct.
the FORWARD chain only effects traffic forwarded from an edge router to the internal LAN (lan ip to lan ip, unless masquerading is enabled).
those rules only block the traceroute (as @oxbird said) pings from forwarding to your internal resources (and from internal resources to the internet if masquerading is enabled) . the ping can be seen on the edge router though. without the traceroute, you cannot know the path a packet takes (which may change at any given time so its essentially random) , and therefore cannot stop it from traversing any particular server on the internet.
see Redhat docs for more info.

Well I’d love to know a way to stop my traffic from routing through their nodes… If this is ineffective…

You basically can’t, BGP will route whichever way it thinks is best. This is what keeps the internet resilient, it routes around any issues. And occasionally takes it down, as happened earlier this week with Verizon’s BGP screwup.

That said, if you VPN to somewhere in Europe or Asia and don’t connect to American resources it would be very unlikely to be routed through Comcast infra.

Alright so let’s think about this how to identify the closest VPN server to avoid bgp routing through Comcast nodes

It doesn’t explain why ping was better after the iptables rules though? To the exact same IP

The overhead of the VPN will almost certainly hurt performance more than any 2nd hand Comcast throttling. Additionally, I’ve never heard of this phenomenon before, do you have a source?

Idk, latency fluctuates. You’d want to compare averages over long period of time.

I basically did over many days at the same time of day with nothing else running in the house and it was consistently better … Idk how to explain that other than the one scientific change I made to the conn

What were you pinging again? Also, throttling and latency are not really related. Were you able to test your throughput?