Home / server / Questions / 505597
Accepted
Jarmund
Asked: 2013-05-08 02:51:00 +0800 CST

iptables for a /16 subnet with a /24 exception

  • 772

simply put, i want to use these rules:

iptables -I FORWARD -i br0.105 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD -s 192.168.0.0/16 -i br0.105 -j DROP

but with the exception of the 192.168.99.0/24 subnet.

Is there a way of specifying this in the lines above? I prefer ta not add an exception-rule with -j accept for the .99-subnet, as there are other rules that refer to that particular subnet.

iptables

3 Answers

  1. Best Answer

    Use a new chain. There are multiple ways to do this, my preference would be this:

    iptables -N DROP_BAD_HOSTS
iptables -A DROP_BAD_HOSTS -s 192.168.99.0/24 -j RETURN
iptables -A DROP_BAD_HOSTS -i br0.105 -d 192.168.0.0/16 -j DROP
iptables -A DROP_BAD_HOSTS -i br0.105 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -j DROP_BAD_HOSTS

    Notice the first rule does a RETURN if the source is the /24 you want to exclude.

    Another method is this, but is less flexible in that you can't add another range to exclude in the future:

    iptables -N DROP_BAD_HOSTS
iptables -A DROP_BAD_HOSTS -i br0.105 -d 192.168.0.0/16 -j DROP
iptables -A DROP_BAD_HOSTS -s 192.168.0.0/16 -i br0.105 -j DROP
iptables -A FORWARD ! -s 192.168.99.0/24 -j DROP_BAD_HOSTS
    • 3

  2. as there are other rules that apply as well

    What are other rules? It apply for .99 subnet or It apply for 192.168.0.0/16?

    If It just apply for .99 subnet, you only have to move It up, above these two rules.

    • 1

  3. Create a new chain:

    iptables -N subnet1

    Direct the exception network to the new chain:

    iptables -I FORWARD -i br0.105 -d 192.168.99.0/24 -j subnet1

    Apply other rules to traffic in that chain:

    iptables -I subnet1 ... -j DROP/ACCEPT
    • 1