[ale] Blocking access to a subnet
Christopher Fowler
cfowler at outpostsentinel.com
Mon Apr 9 19:10:45 EDT 2007
I get an invalid argument from iptables when I try that. Here is how I
did it
[tomcat at sam-service tomcat]$ for i in 5 6 7 8 9 10 11 12 13 15 16 17 18
19 20
> do
> sudo /sbin/iptables -A OUTPUT -p tcp -s 209.168.246.232 -d
10.0.${i}.0/24 -j REJECT --reject-with tcp-reset
> done
[tomcat at sam-service tomcat]$ telnet 10.0.20.2 80
Trying 10.0.20.2...
telnet: connect to address 10.0.20.2: Connection refused
[tomcat at sam-service tomcat]$ telnet 10.0.14.2 80
Trying 10.0.14.2...
Connected to 10.0.14.2.
Escape character is '^]'.
^]
telnet> quit
The logic behind that rule states that if the ppp interface is down then
the kernel will try and route packets out of eth0 to the default
gateway. Eth0's address is 209.168.246.233. So if the source is
209.168.246.233 then the ppp interface obviously is not up. The test
after I applied the rules showed that it worked great. The only
downside is that I had to know what the eth0 address is. This means
that on a server with DHCP if I use this rule I need to get that address
before applying this rule.
On Mon, 2007-04-09 at 17:02 -0600, JK wrote:
> Christopher Fowler wrote:
>
> [snip]
>
> > Is there a way I can say
> > on the server that any packet destined for 10.0.5.0/24 going out of eth0
> > to be rejected automatically? These packets would be generated
> > internally.
>
> iptables -I OUTPUT -o eth0 -d 10.0.5.0/24 -j REJECT
>
> perhaps?
>
> -- JK
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list