LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-22-2017, 06:32 PM   #1
networkprosource
LQ Newbie
 
Registered: Mar 2017
Posts: 2

Rep: Reputation: Disabled
Exclude Single IP from iptables rule


I am new to the forum, and this is my first post. I tried to find a similar question asked and answered first, and I apologize if this has been resolved elsewhere.

I have been using a set of rules I found on another site to block ALL Facebook traffic at the firewall.

My (modified) rules look like so:

iptables -A CUSTOMFORWARD -p tcp -m tcp --dport 80 -m string --string "facebook" --algo bm -j DROP
iptables -A CUSTOMFORWARD -p tcp -m tcp --dport 443 -m string --string "facebook" --algo bm -j DROP
iptables -A CUSTOMFORWARD -p tcp -m tcp --sport 80 -m string --string "facebook" --algo bm -j DROP
iptables -A CUSTOMFORWARD -p tcp -m tcp --sport 443 -m string --string "facebook" --algo bm -j DROP

I know this string matching is CPU intensive, but since we are a relatively small company, the CPU overhead is not unreasonable and it doesn't slow network traffic noticeably. However, I can't seem to figure out how to exclude a single IP on the local network from this rule (my boss wants access to Facebook for marketing). I prefer to do everything at the iptables level rather than the workstation level, but for the life of me I can't figure out how to create this exclusion. Any help would be appreciated.

Thank you!

Tom
 
Old 03-23-2017, 05:12 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
You can use "-s" to specify a source in addition to the other specifications. This restricts the rule to the source specified. Per the man page you can put ! before the "-s" negates it so if you do something like:

iptables -A CUSTOMFORWARD ! -s <IP address> -p tcp -m tcp --dport 80 -m string --string "facebook" --algo bm -j DROP

My read is it would the drop for everything but the IP you specify. I've used the -s many times but not the ! for negation in iptables but this seems correct based on what I read.
 
Old 03-23-2017, 05:18 PM   #3
networkprosource
LQ Newbie
 
Registered: Mar 2017
Posts: 2

Original Poster
Rep: Reputation: Disabled
MensaWater - I am off for the next couple of days, but Monday I will log into the firewall and give that a try, thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: rule with RETURN target just after a rule with ACCEPT target Nerox Linux - Networking 6 09-04-2011 04:33 PM
LXer: A Single Packager to Rule Them All LXer Syndicated Linux News 0 02-03-2011 05:00 PM
How to exclude certain ip from proxy restriction rule uwa45 Linux - Server 5 03-25-2009 11:39 AM
Rsync - Exclude single file problem LinuxLuva Linux - Software 3 11-08-2007 10:34 AM
UDEV Rule Single DVDRW/CDRW cuco76 Linux - Software 1 01-23-2007 06:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration