what's the iptables rule to block a LAN device like 192.168.0.40 from accessing to any IP other than 8.8.8.8 (or from 0.0.0.0 to 8.8.8.7, then 8.8.8.9 through 255.255.255.255)
Fuck off.
>>52149334
PLS HALP /g/enious
>>52149258
fuck off
>>52149429
all i want to know is a fucking general idea of the rule so i can adjust it when nessisary, pls
>>52149429
that girl looks like fucking jeb bush's grandaughter
>>52149439
the command starts as follows:
iptables
your going to have to fill in the rest
>>52149536
i fucking know this faggot
i gave you an example, ive already tried some and its not working
just as a test, for a LAN provided IP of say 192.168.0.124
what rule would block all out-going traffic to the WAN
i tried
iptables -I FORWARD -s 192.168.1.120 -i br0 -o 'get_wanface' -j DROP
but its not working
>>52149584
Well the command starts with iptables, you'll have to work out the rest
(read: fuck off faggot, manpages)
>>52149584
maybe you should try to google some iptables help instead of arguing with anons who already know
>>52149703
i already did, they mostly just show how to do a SINGLE ip range, or a port range
>>52149763
your going to have to do a combo of allowing the IP to access the single address, and then a rule for dropping all traffic thats not going to that particular address.Thats all the help im giving, im not going to write the rules out for you
>>52149880
i dont need you to write it out, i just need atleast the template
just to fucking get me started, what would a DROP string look for like for a LAN device in your network with the IP of 192.168.1.119
just to start seeing it actualy worknig and get some hope
>>52149962
iptables -i eth1 -A INPUT -s 192.168.1.119 -j DROP
be glad i am a bored network security major bruv, i should have kept telling you to fuckoff
>>52150091
thx kind desu
NOW, just give me a (type something like this where i can enter an IP range) for either destination or source, meaning either from that device out to the net or from the net to that device, that i can then use, again just for that 1 LAN device
would you merely add a:
-d (ip range here)
to that string?
does iptables recognize something like 148.0.0.1 - 157.0.0.1
or how would you easily specificy a IP range, without doing the individual ranges witha /8 or whatever at the end
>>52150187
If you are asking if iptables can block a range of IPs, then yes it can
http://www.linuxquestions.org/questions/linux-security-4/block-whole-ip-range-with-iptables-469432/
What is your skill level here OP, because you are asking extremely basic iptables questions
>>52150310
im used to router firmware having this built in to block IP ranges, but mine only has PORTS or domain names so im having to resort to learing iptables
they are they still fucking making them specifiy the subnet?
that again is what's pissing me off, i dont care about the subnet, i want to block the specific IP's, i dont know nor need to know the source IP's additional info
i just want x.x.x.x to x.x.x.x IP ranges to either drop or reject
the whole /subnet nubmer just makes it confusing since each IP can then have /8, /24 ect.. ect..
>>52150310
>>52150369
also this thread is only discussing someone using just their WAN ip
i need this rule to only affect 1 device within my LAN, so where do i put that in relation to the rest of the string?
sbin/iptables -I INPUT -s 221.0.0.0/255.0.0.0 -j DROP
okay i finally found a wiki
iptables -I FORWARD -m iprange --src-range 192.168.1.10-192.168.1.13 -j logdrop
i dont want to log so ill take logdrop and make that just drop, but now instead of it being a scr-range i need it to be destination, what is the 3 letter acronym hat iptables uses?
okay FUCKING HELL
i finally found something that works
iptables -I FORWARD -s 192.168.1.119 -j DROP
that successfully dropped all connections
NOW, if my understanding is correct, if i make some ALLOW rules and put that drop at the bottom/end of the list, then it should do what i need
ill try the DNS first
>>52150627
Iptables reads rules line by line and then applies them, you need to append the ALLOW rules so they are higher than the DROP rules so you dont block legitimate traffic by accident
>>52150667
right, that's what im testing now
>>52150733
i misread your post, I thought you were going to put the ALLOW at the bottom, carry on then, let me know if it works
>>52150795
i still would prefer to have it the other way around, where the IP's can see and send data to my device in my LAN but then the LAN device simply cant forward anything
but iptables doesnt seem to work that way with -d and i still cant find a "src" range alternative for destination
>>52150834
you can try to make a DROP any any rule from the source lan device using the -s command line switch, remember to put it after your ALLOW statement doe
>>52150940
trying that now it doesnt seem to be working
>>52151115
As much as i love to help get your networking up and running, there is only so much I can do over the net without sitting in front of your computer and troubleshooting.
All I can say is iptables rules in general feel like they are a bunch of trail and error half of the time, i suggest you continue dicking around until you find something that works, and then dont change it unless absolutely necessary, good luck senpai
>>52151163
well the drop rule worked, but not the allows
>>52149258
Who is this whore?
>>52151351
pls no bully
>>52149258
First we create a rule that will allow the traffic you want to allow. Then we create a rule after that one which will block. I prefer to use REJECT so you know the connection was blocked instead of DROP.
So its kinda like this:iptables -I FORWARD -s 192.168.0.40/32 -d 8.8.8.8 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -j REJECT
>>52149258
isn't 8.8.8.8 one of google's dns servers? what are you doing op
>>52149258
>or from 0.0.0.0 to 8.8.8.7
>>52151903 here. This is retarded because "0.0.0.0" basically means all IPv4 addresses.
>>52151972
so then 0.0.0.1
Since we be chatting iptables. Anyone making custom chains because their lists are too long?
My fail2ban list is getting stupid and I am thinking this might be necessary. Thinking of creating a separate chain for port 22, although don't know if it is possible, but it seems to be.
>>52151993
Hell no. 0/8 and 255/8 are not really IP addresses. You need to research a bit more about ipv4 addresses and CIDR masks.
Also stuff from 1.0.0.1 to 8.8.8.7 will include a LOT of ip addresses.# it looks pants on head retarded and there should be a better
# way to do this but the rules above do exactly what you asked for
# that is allowing traffic from said host from the 1.0.0.1-8.8.8.8 range.
iptables -I FORWARD -s 192.168.0.40/32 -d 1.0.0.0/8 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 2.0.0.0/8 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 3.0.0.0/8 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 4.0.0.0/8 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 5.0.0.0/8 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 6.0.0.0/8 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 7.0.0.0/8 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 8.0.0.0/16 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 8.1.0.0/16 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 8.2.0.0/16 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 8.3.0.0/16 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 8.4.0.0/16 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 8.5.0.0/16 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 8.6.0.0/16 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 8.7.0.0/16 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 8.8.0.0/16 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 8.8.0.0/21 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 8.8.8.0/29 -j ACCEPT
iptables -I FORWARD -s 192.168.0.40/32 -d 8.8.8.8/32 -j ACCEPT
# Finally we reject everything that isn't specified above:
iptables -I FORWARD -s 192.168.0.40/32 -j REJECT
>>52151903
the blocking rule works but not the allows
>>52152106
Try the ipset module.
>>52152182
Please supply the output of "iptables-save".
>>52152219
knwo that i clearned teh console when entering this
sh: eval: line 1: iptables-save: not found
when i put it at the bottom of the other it saved properly
this right here is most of what i need
iptables -I FORWARD -s 192.168.1.119 -j REJECT
iptables -I FORWARD -s 192.168.1.119/32 -d 40.125.0.0/17 -j ALLOW
iptables -I FORWARD -s 192.168.1.119/32 -d 40.120.0.0/14 -j ALLOW
iptables -I FORWARD -s 192.168.1.119/32 -d 40.80.0.0/12 -j ALLOW
iptables -I FORWARD -s 192.168.1.119/32 -d 40.74.0.0/15 -j ALLOW
iptables -I FORWARD -s 192.168.1.119/32 -d 40.76.0.0/14 -j ALLOW
iptables -I FORWARD -s 192.168.1.119/32 -d 40.112.0.0/13 -j ALLOW
iptables -I FORWARD -s 192.168.1.119/32 -d 40.96.0.0/12 -j ALLOW
iptables -I FORWARD -s 192.168.1.119/32 -d 40.124.0.0/16 -j ALLOW
iptables -I FORWARD -s 192.168.1.119/32 -d 65.52.0.0/14 -j ALLOW
iptables -I FORWARD -s 192.168.1.119/32 -d 208.67.216.0/21 -j ALLOW
iptables -I FORWARD -s 192.168.1.119/32 -d 157.54.0.0/15 -j ALLOW
iptables -I FORWARD -s 192.168.1.119/32 -d 157.60.0.0/16 -j ALLOW
iptables -I FORWARD -s 192.168.1.119/32 -d 157.56.0.0/14 -j ALLOW
>>52152243
Then:iptables -L -nv
iptables -L -nv -t nat
potables -L -nv -t mangle
I fucking hate iptables.
>>52152258
the problem is, its still letting additional IP's outside of those ranges enter, it seems anything other than just 1 line of the "drop/reject" disables everything
>>52152258
Oh wait... you are right. When you add -I the rule goes to the top!
I feel dumb OP.
Replace the -I on >>52152168 and >>52151903
with -A or revert the order as you did.
>>52152258
it might be late at night, but isn't that going to totally assfuck you. Order is important or did this change and it is automagic
>>52152263
nothing changed after that, it just saved normally
should i put it at the end of the full script?
and its iptables v1.3.7 IIRC, if that makes a difference
>>52152282
so just make all the I's into A's for both reject and allow?
>>52152301
Netfilter (the core of iptables) will use the first rule that will match that connection.
When you add the rule with -I that rule goes to the top.
When you add the rule with -A that rule goes to the bottom.
The best way is to create a script with -A and then use your operating system rc scripts to include them on boot. Normally its something like "service iptables save".
>>52152293
Those commands will output the current rules. It was meant to help us diagnose the problem but you kinda solved it alone.
>>52152327
tell me if this is right, or adjust it if nessisary
iptables -L FORWARD -s 192.168.1.119 -j REJECT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.74.0.0/15 -j ALLOW
iptables -A FORWARD -s 192.168.1.119/32 -d 40.76.0.0/14 -j ALLOW
iptables -A FORWARD -s 192.168.1.119/32 -d 40.80.0.0/12 -j ALLOW
iptables -A FORWARD -s 192.168.1.119/32 -d 40.96.0.0/12 -j ALLOW
iptables -A FORWARD -s 192.168.1.119/32 -d 40.112.0.0/13 -j ALLOW
iptables -A FORWARD -s 192.168.1.119/32 -d 40.120.0.0/14 -j ALLOW
iptables -A FORWARD -s 192.168.1.119/32 -d 40.124.0.0/16 -j ALLOW
iptables -A FORWARD -s 192.168.1.119/32 -d 40.125.0.0/17 -j ALLOW
iptables -A FORWARD -s 192.168.1.119/32 -d 65.52.0.0/14 -j ALLOW
iptables -A FORWARD -s 192.168.1.119/32 -d 157.54.0.0/15 -j ALLOW
iptables -A FORWARD -s 192.168.1.119/32 -d 157.56.0.0/14 -j ALLOW
iptables -A FORWARD -s 192.168.1.119/32 -d 157.60.0.0/16 -j ALLOW
iptables -A FORWARD -s 192.168.1.119/32 -d 208.67.216.0/21 -j ALLOW
iptables -L -nv
iptables -L -nv -t nat
potables -L -nv -t mangle
>>52152353
i took the bottom 3 out as per >>52152339
>>52152353
oh forgot to mention, the -d's are for a specific range based on their CIDR
for instance the 208.67.216.0/21 is the OpenDNS server which includes a full range, not sure if the single -d is only trying to find the specific IP
i was asking other anon's if there's a IP range code for destinations, the only one i've found is the source "src-"
>>52152353
You are misunderstanding things. The -L simply output the rules. I asked that because you couldn't supply the output of iptables-save.
The reject rule should always be the last. There is not ALLOW target. It should be ACCEPT.iptables -A FORWARD -s 192.168.1.119/32 -d 40.74.0.0/15 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.76.0.0/14 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.80.0.0/12 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.96.0.0/12 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.112.0.0/13 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.120.0.0/14 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.124.0.0/16 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.125.0.0/17 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 65.52.0.0/14 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 157.54.0.0/15 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 157.56.0.0/14 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 157.60.0.0/16 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 208.67.216.0/21 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119 -j REJECT
REJECT can be replaced by DROP if you want the system to just discard the packet instead of sending an error notification. The user will think the site may be offline. REJECT is better for testing.
Better:iptables -F
iptables -X
iptables -A FORWARD -s 192.168.1.119/32 -d 40.74.0.0/15 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.76.0.0/14 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.80.0.0/12 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.96.0.0/12 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.112.0.0/13 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.120.0.0/14 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.124.0.0/16 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 40.125.0.0/17 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 65.52.0.0/14 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 157.54.0.0/15 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 157.56.0.0/14 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 157.60.0.0/16 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119/32 -d 208.67.216.0/21 -j ACCEPT
iptables -A FORWARD -s 192.168.1.119 -j REJECT
The -F will clear the currently loaded rules while the X will reset the counters.
