Hi guys,

Can someone help a brother out? I need an iptables rule for our gateway machine.

Essentially, the internal nic is eth0 and the external nic is eth1. I need to block all internal systems with an ip in the range of 10.0.1.0-10.0.1.253 from getting out through the gateway. (netmask 255.255.0.0)

Currently, I only have the following iptable rules running:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward


Thanks guys.

Now that I think about it, would it be easier to hosts.deny the ip range?

hosts.deny might work.

If you want to go with iptables, then a rule like this should work. You'll need a somewhat recent iptables/kernel setup though. I'm not sure which versions started supporting the iprange match.


iptables -t filter -A FORWARD -i eth0 -o eth1 -m iprange --src-range 10.0.1.1-10.0.1.253 -j DROP

Hmm, iptables kicks out the following error with that command (currently using Debian testing with iptables 1.3.6.0debian1-3):

iptables: No chain/target/match by that name


For hosts.deny, does this look right?

ALL:10.0.1.0/32