Blocking selected clients with iptables

Corey Edwards tensai at zmonkey.org
Fri Dec 30 09:03:43 MST 2005


On Thu, 2005-12-29 at 19:58 -0700, Stephen Smith wrote:
> iptables -A INPUT -s 192.168.1.x -d 10.0.0.1 -j DROP
> iptables -A INPUT -s 192.168.1.x -p ALL -d 10.0.0.1 -j DROP
> iptables -A INPUT -s 192.168.1.x -p ALL --dport 80 -j DROP
> iptables -A INPUT -s 192.168.1.x.-p ALL --multiport -dport
> 80,8080,8008,443 -j DROP

The filter table has 3 built-in chains, INPUT, OUTPUT and FORWARD. A
packet will transit only one of these chains. INPUT is for packets which
match an IP address of the box. OUTPUT is for packets generated locally
and destined externally. FORWARD is for packets which are generated
externally and are destined externally as well.

So, you've asked iptables to filter traffic in INPUT when the packets
will only be in FORWARD. You simply need a rule like this:

        # iptables -A FORWARD -s 192.168.1.x -j REJECT

I prefer a REJECT in this case so that you get an immediate error on the
win98 box rather than waiting for a timeout.

Since this rule is in the FORWARD chain, it will have no affect on local
traffic destined for this box. Those packets will be hitting the INPUT
chain instead. It also won't affect any traffic which goes directly
between the Win98 box and any other machine on the network since that
will occur strictly between those two boxes and never involve the
firewall.

Corey

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://plug.org/pipermail/plug/attachments/20051230/a651c74f/attachment.bin 


More information about the PLUG mailing list