Hi,
I have a device behind my routertech router with IP addresss IP_1
I would like to block traffic from IP_1 to all IPs except for IP_2.
Is this possible?
ACCEPT/DENY
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: ACCEPT/DENY
Looks like an interesting problem. I am no networking expert, but it may be possible (if you are referring to LAN ip addresses) by having separate VLANs (if your router's switch is supported to that level - which would only point to a Marvell 88E6060 switch on "standard" firmwares). Otherwise, you may be able to achieve this with appropriate iptables commands (which I couldn't begin to speculate on).
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: ACCEPT/DENY
Try this (from a telnet session) -thelawnet wrote:I would like to block traffic from IP_1 to all IPs except for IP_2.
Code: Select all
iptables -A INPUT -p tcp -s $IP_1 -d ! $IP_2 -j REJECT
iptables -A FORWARD -p tcp -s $IP_1 -d ! $IP_2 -j REJECT
iptables -A OUTPUT -p tcp -s $IP_1 -d ! $IP_2 -j REJECT
PS: I am not sure that the 3rd iptables command (OUTPUT) is necessary (or desirable).
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
Re: ACCEPT/DENY
To back-up thechief, if both devices are are your LAN the router switch may connect them effectively in hardware, traffic won't touch the Linux kernel or iptables configured filtering rules. When devices are in the same LAN group (Wireless LAN to Ethernet LAN for example) there's also a software bridge which joins them requiring specific bridge filter rules so iptables also won't work. When separated into VLANs (LAN groups) on supported switches the connections are made by the Linux kernel so iptables filtering should apply.
Just the second FORWARD command should be enough, unless its the router itself you want to block - INPUT refers to connections to the router itself, such as web interface or other daemon services on the router. "-A" adds the rule to whatever is already there, to be sure your new block rule prevents something else ACCEPTing the connection first I suggest you try "-I" to insert the rule at the top.
Just the second FORWARD command should be enough, unless its the router itself you want to block - INPUT refers to connections to the router itself, such as web interface or other daemon services on the router. "-A" adds the rule to whatever is already there, to be sure your new block rule prevents something else ACCEPTing the connection first I suggest you try "-I" to insert the rule at the top.