I am learning using iptables to set up firewall rules.
I read a book, which has this specific IP rule.
# iptables -I OUTPUT ! -d 192.168.0.100/24 -p icmp -j DROP
The book says this rule, "
reject all outbound ICMP traffic to all systems on 192.168.0.0/24, except for system with IP address 192.168.0.100/24."
But when I test it, I found this rule does not block any IP in this segment 192.168.0.x, But instead it block all other IP
not on 192.168.0.x.
Have I done anything wrong?
To show what I have done, I did two tests. One with iptables rule on "192.168.0.100", and another on "192.168.0.100/24".
1. Flush iptables rules.
2. ping 192.168.0.100 and 192.168.0.110, and 192.168.1.1 all successful.
3. Add iptables rule.
4. # iptables -I OUTPUT ! -d 192.168.0.100 -p icmp -j DROP
5. Now I can ping 192.168.0.100, but cannot ping 192.168.0.110, or 192.168.1.1.
http://i.imgur.com/T2PH32N.png
Then I did another test, with IP destination as "192.168.0.100/24"
1. Flush iptables rules.
2. ping 192.168.0.100 and 192.168.0.110, and 192.168.1.1 all successful.
3. Add iptables rule.
4. # iptables -I OUTPUT ! -d 192.168.0.100/24 -p icmp -j DROP
5. Now I can ping both 192.168.0.100, 192.168.0.110, but not 192.168.1.1.
http://i.imgur.com/fJ4PUvw.png
So my conclusion is that, in iptables rule, IP address with prefix is translated to whole IP subset IPs. "192.168.0.100/24" and "192.168.0.0/24" are exactly the same.