2

I am trying to block all traffic that is both coming and going to an internal IP address (this server acts as a router for the network). so far I have tried the following: iptables -A INPUT -s 192.168.1.111 -j DROP & iptables -A OUTPUT -d 192.168.1.111 -j DROP, with 192.168.1.111 being the IP address I am trying to block traffic from. The local area network connects to br0. Here is my current iptables setup (I've removed port forwards, etc to make it easier to go through): 

# Generated by iptables-save v1.4.8 on Sat Feb 16 21:21:16 2013
*nat
:PREROUTING ACCEPT [184556:41149689]
:POSTROUTING ACCEPT [13698:835740]
:OUTPUT ACCEPT [77252:6378101]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Feb 16 21:21:16 2013
# Generated by iptables-save v1.4.8 on Sat Feb 16 21:21:16 2013
*filter
:INPUT DROP [10054:2687428]
:FORWARD ACCEPT [1377:76856]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.1.0/24 -i br0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A FORWARD -i eth0 -o Br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
COMMIT
# Completed on Sat Feb 16 21:21:16 2013

How could I go about blocking all traffic to and from an IP with this current setup? Im not the best in the world with iptables, so any help would be much appreciated, thanks!

lacrosse1991
  • 1,437
  • 5
  • 20
  • 26
  • Is the iptables rules you posted for the linux router and you are trying to block traffic to/from another machine inside the network? Please clarify. – Daniel t. Feb 17 '13 at 03:03
  • @Danielt. yep the iptables is located on the debian router, and I am trying to block internet traffic to/from a machine on the internal network – lacrosse1991 Feb 17 '13 at 03:15

2 Answers2

3

The mistake you did was that you did append (-A) the blocking rules for 192.168.1.111 instead of inserting it (-I), because if you pay attention some rules in INPUT/OUTPUT did allow traffic from 192.168.1.X segment. So do this:

iptables -I INPUT -s 192.168.1.111 -j DROP
iptables -I OUTPUT -d 192.168.1.111 -j DROP

If the 192.168.1.111 is using the same server as an router than add a similra rule to the FORWARD chain

iptables -I FORWARD -d 192.168.1.111 -j DROP

golja
  • 1,621
  • 10
  • 14
3

The INPUT and OUTPUT iptables chains apply to traffic destined to the local server. Any packet routed through the firewall is processed by the FORWARD chain. So in this case, you need to prevent packets from being forwarded by the linux router to the internal client using the FORWARD chain.

I would advise you to start with a default DROP policy for the FORWARD chain. Because your current setup shows that by default your FORWARD policy is ACCEPT, which is not the most secure setup. So start with a drop policy for forward with - 

  iptables -P FORWARD DROP

Then allow packets to be forwarded to the Internal clients with - 

  iptables -A FORWARD -s source-net/subnet -d destination-net/subnet -j ACCEPT
  iptables -A FORWARD -m state –state NEW,ESTABLISHED -s source-net/subnet -j ACCPET
  iptables -A FORWARD -m state –state ESTABLISHED -j ACCEPT

If the internal client is within the allowed subnet, set a rule to explicitly drop the packets destined to that client -

   iptables -I FORWARD -s 0/0 -d 192.168.1.111 -j DROP
   iptables -I FORWARD -s 192.168.1.111 -d 0/0 -j DROP
Daniel t.
  • 9,291
  • 1
  • 33
  • 36