Home / server / Questions / 479618
Accepted
lacrosse1991
Asked: 2013-02-17 18:35:25 +0800 CST

how can I block all traffic that is coming to and from an IP address using iptables

  • 772

I am trying to block all traffic that is both coming and going to an internal IP address (this server acts as a router for the network). so far I have tried the following: iptables -A INPUT -s 192.168.1.111 -j DROP & iptables -A OUTPUT -d 192.168.1.111 -j DROP, with 192.168.1.111 being the IP address I am trying to block traffic from. The local area network connects to br0. Here is my current iptables setup (I've removed port forwards, etc to make it easier to go through): 

# Generated by iptables-save v1.4.8 on Sat Feb 16 21:21:16 2013
*nat
:PREROUTING ACCEPT [184556:41149689]
:POSTROUTING ACCEPT [13698:835740]
:OUTPUT ACCEPT [77252:6378101]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Feb 16 21:21:16 2013
# Generated by iptables-save v1.4.8 on Sat Feb 16 21:21:16 2013
*filter
:INPUT DROP [10054:2687428]
:FORWARD ACCEPT [1377:76856]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.1.0/24 -i br0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A FORWARD -i eth0 -o Br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
COMMIT
# Completed on Sat Feb 16 21:21:16 2013

How could I go about blocking all traffic to and from an IP with this current setup? Im not the best in the world with iptables, so any help would be much appreciated, thanks!

networking

2 Answers

  1. Best Answer

    The INPUT and OUTPUT iptables chains apply to traffic destined to the local server. Any packet routed through the firewall is processed by the FORWARD chain. So in this case, you need to prevent packets from being forwarded by the linux router to the internal client using the FORWARD chain.

    I would advise you to start with a default DROP policy for the FORWARD chain. Because your current setup shows that by default your FORWARD policy is ACCEPT, which is not the most secure setup. So start with a drop policy for forward with - 

      iptables -P FORWARD DROP

    Then allow packets to be forwarded to the Internal clients with - 

      iptables -A FORWARD -s source-net/subnet -d destination-net/subnet -j ACCEPT
  iptables -A FORWARD -m state –state NEW,ESTABLISHED -s source-net/subnet -j ACCPET
  iptables -A FORWARD -m state –state ESTABLISHED -j ACCEPT

    If the internal client is within the allowed subnet, set a rule to explicitly drop the packets destined to that client -

       iptables -I FORWARD -s 0/0 -d 192.168.1.111 -j DROP
   iptables -I FORWARD -s 192.168.1.111 -d 0/0 -j DROP
    • 3

  2. The mistake you did was that you did append (-A) the blocking rules for 192.168.1.111 instead of inserting it (-I), because if you pay attention some rules in INPUT/OUTPUT did allow traffic from 192.168.1.X segment. So do this:

    iptables -I INPUT -s 192.168.1.111 -j DROP
iptables -I OUTPUT -d 192.168.1.111 -j DROP

    If the 192.168.1.111 is using the same server as an router than add a similra rule to the FORWARD chain

    iptables -I FORWARD -d 192.168.1.111 -j DROP

    • 2