I am learning using iptables to set up firewall rules.

I read a book, which has this specific IP rule.

# iptables -I OUTPUT ! -d 192.168.0.100/24 -p icmp -j DROP

The book says this rule, "reject all outbound ICMP traffic to all systems on 192.168.0.0/24, except for system with IP address 192.168.0.100/24."

But when I test it, I found this rule does not block any IP in this segment 192.168.0.x, But instead it block all other IP not on 192.168.0.x.

Have I done anything wrong?


To show what I have done, I did two tests. One with iptables rule on "192.168.0.100", and another on "192.168.0.100/24".

1. Flush iptables rules.
2. ping 192.168.0.100 and 192.168.0.110, and 192.168.1.1 all successful.
3. Add iptables rule.
4. # iptables -I OUTPUT ! -d 192.168.0.100 -p icmp -j DROP
5. Now I can ping 192.168.0.100, but cannot ping 192.168.0.110, or 192.168.1.1.
http://i.imgur.com/T2PH32N.png

Then I did another test, with IP destination as "192.168.0.100/24"
1. Flush iptables rules.
2. ping 192.168.0.100 and 192.168.0.110, and 192.168.1.1 all successful.
3. Add iptables rule.
4. # iptables -I OUTPUT ! -d 192.168.0.100/24 -p icmp -j DROP
5. Now I can ping both 192.168.0.100, 192.168.0.110, but not 192.168.1.1.

http://i.imgur.com/fJ4PUvw.png

So my conclusion is that, in iptables rule, IP address with prefix is translated to whole IP subset IPs. "192.168.0.100/24" and "192.168.0.0/24" are exactly the same.

What book? ISBN #?
Is this a school question?

Thanks for your reply. It's not a school question.

The book's ISBN is 1495148203. It's a RHCSA and RHCE training guide. I am using it to prepare for my RHCSA exam.

I have made contact with the author, and author said no problem with the rule. But I tested the rule multiple times and found it did not really work in the way as the book described.

They are exactly the same. The "/24" says to ignore everything except the high-order 24 bits. For an exact address, either leave off the "/xx" or use "/32".

1 members found this post helpful.