iptables rules for blocking everyone but certain ranges?
My intention is to redirect everyone by default, allow certain IP ranges and deny certain ranges:
Redirect everyone: Code:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080 Code:
iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.100-111.222.333.200 -j ACCEPT Code:
iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.0-111.222.333.255 --dport 80 -j REDIRECT --to 8080 |
I get the first rule (transparent proxy), but I don't get the other two. Seems to me like you should be using the FORWARD chain to handle things like this. That third rule of yours won't ever be used, since the first one matches the same thing. As for the second rule, it's not needed since the policy for the PREROUTING chain is ACCEPT anyways.
|
What about doing this instead?
First rule stays the same: Code:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080 Code:
iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.100-111.222.333.200 --dport 8080 -j REDIRECT -to 80 Code:
iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 111.222.333.0-111.222.333.255 --dport 80 -j REDIRECT --to 8080 I'm basically looking for a way to say disallow all numbers, but allow 0 through 100 unless it falls between 40 and 60 |
What exactly are you trying to accomplish?
EDIT: Nevermind, just saw your edit. |
Quote:
You mean filter the packets entirely? Or abstain from sending them to REDIRECT? |
Quote:
Would those rules I posted in my previous reply work? Linux networking/firewalling has always been my Achilles' heel :( I can't seem to wrap my head around iptables and how it prioritizes things. |
Quote:
Code:
iptables -t nat -A PREROUTING -p TCP -i eth1 -m iprange --src-range 192.168.1.75-192.168.1.230 -j ACCEPT BTW, notice that I specified the inbound interface, which is a good idea whenever possible. |
All times are GMT -5. The time now is 01:46 AM. |