Block ip forwarding for specific remote ip address

linux networking iptables firewall routing
19,942

I think you are overthinking the problem. It is trivial to block forwarding requests using iptables on whatever basis you like.

There is, of-course, a default setting - forwarding can be allowed or denied by default - Your current setting is allowed. Thus to drop a specific host, simply add an iptables rule

iptables -I FORWARD -d sou.rce.ip.add -j DROP

Make sure that you remember to remove your rule to REJECT everything in the forward chain.

Share:
19,942

Related videos on Youtube

user277820
Author by

user277820

Updated on September 18, 2022

Comments

  • user277820
    user277820 over 1 year

    I use ubuntu as gateway for several hosts. I need advise how to block ip forwarding for specific ip address or specific ip range?

    I tried to block ip via ufw deny rules, but it looks like ip forwarding settings cannot be modified via rules and it can be applied only globally (DEFAULT_FORWARD_POLICY in /etc/default/ufw)

    Also i tried to change iptables rules directly:

    iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

    After this command ip forwarding reject rule blocks forwarding requests from all of remote hosts.

    Update: current iptable output:

    root@mtu90:/home/pi# iptables -L -n -v
Chain INPUT (policy ACCEPT 5671 packets, 927K bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 DROP       all  --  *      *       0.0.0.0/0            172.16.1.77 
  192 15408 DROP       all  --  *      *       172.16.1.77          0.0.0.0/0   

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
  895  136K            all  --  *      *       0.0.0.0/0            0.0.0.0/0   
  518 30999 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 119 packets, 14872 bytes)
 pkts bytes target     prot opt in     out     source               destination
    • MadHatter
      MadHatter about 10 years
      It can certainly be modified by iptables rules. If you're open to changing them, could you cut-and-paste the output of iptables -L -n -v into your question? (It may be possible to do it via ufw also, I just don't know ufw.)
    • user277820
      user277820 about 10 years
      please take a look. i've just updated my question with iptables output

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

TCP connect: No route to host
How to use iptables to allow traffic only through ONE SPECIFIC VPN
How to use FQDN in firewall rules for GNU/Linux?
Redirect http using iptables for an ip range
IPtables string match for some URLs
Difference between iptables default policy to `DROP` and inserting a seperate policy in input chain to DROP all connections
Check for packets MARKed by iptables
iptables reject-with icmp-host-prohibited
Source Based Policy Routing & NAT (DNAT/SNAT) aka Multi WANs on CentOS 5
How forward packets from network interface to another