Blocking selected clients with iptables

Stephen Smith scsmith1451 at totacc.com
Fri Dec 30 20:25:02 MST 2005


Corey Edwards wrote:

>On Thu, 2005-12-29 at 19:58 -0700, Stephen Smith wrote:
>  
>
>>iptables -A INPUT -s 192.168.1.x -d 10.0.0.1 -j DROP
>>iptables -A INPUT -s 192.168.1.x -p ALL -d 10.0.0.1 -j DROP
>>iptables -A INPUT -s 192.168.1.x -p ALL --dport 80 -j DROP
>>iptables -A INPUT -s 192.168.1.x.-p ALL --multiport -dport
>>80,8080,8008,443 -j DROP
>>    
>>
>
>The filter table has 3 built-in chains, INPUT, OUTPUT and FORWARD. A
>packet will transit only one of these chains. INPUT is for packets which
>match an IP address of the box. OUTPUT is for packets generated locally
>and destined externally. FORWARD is for packets which are generated
>externally and are destined externally as well.
>
>So, you've asked iptables to filter traffic in INPUT when the packets
>will only be in FORWARD. You simply need a rule like this:
>
>        # iptables -A FORWARD -s 192.168.1.x -j REJECT
>
>I prefer a REJECT in this case so that you get an immediate error on the
>win98 box rather than waiting for a timeout.
>
>Since this rule is in the FORWARD chain, it will have no affect on local
>traffic destined for this box. Those packets will be hitting the INPUT
>chain instead. It also won't affect any traffic which goes directly
>between the Win98 box and any other machine on the network since that
>will occur strictly between those two boxes and never involve the
>firewall.
>
>Corey
>
>  
>
>------------------------------------------------------------------------
>
>
>/*
>PLUG: http://plug.org, #utah on irc.freenode.net
>Unsubscribe: http://plug.org/mailman/options/plug
>Don't fear the penguin.
>*/
>
You all are great, every suggestion worked.  Thanks.



More information about the PLUG mailing list