iptables questions

FNC · 07-12-2007, 10:50 AM

Hi,

I want to prevent a range of ipaddresses on my network to access another range on the same subnet.
So basiclly I want to prevent 192.160.0.10-192.168.0.30 from seeing 192.168.0.31-192.168.0.40.
Do I have to add a rule under iptables FORWARD or iptables INPUT?

Regards

acid_kewpie · 07-12-2007, 12:57 PM

this is impossible in a single place unless you're doing something like bridging between two switches. not sure what table that is then actually. iptables manpage suggests using the physdev module to get inside the bridged interfaces, and says that will work under FORWARD amongst others actually.

also check ebtables as a layer 2 replacement for iptables.

FNC · 07-12-2007, 02:13 PM

Ok , so how can I prevent a range of PC's from connecting to another range, but still access the same servers?
Do I have to use different subnets? And if so, can this be done on a single NIC with multiple IP's?

win32sux · 07-12-2007, 06:42 PM

The simplest way would be to have your ranges on their own interfaces.

You could then do it like:

Code:

iptables -I FORWARD -i eth0 -o eth1 \
-m iprange --src-range 192.168.0.100-192.168.0.200 \
-m iprange --dst-range 192.168.1.50-192.168.1.80 -j DROP

(Example assumes interface eth0 is on 192.168.0.0 while eth1 is on 192.168.1.0)

But if you're saying that all the clients are connected to the same interface then you'd need to do something like acid_kewpie suggested. A quick work-around could be to use INPUT rules on the destination hosts themselves (if they are GNU/Linux), like:

Code:

iptables -I INPUT -m iprange \
--src-range 192.168.0.10-192.168.0.30 -j DROP