Block ip forwarding for specific remote ip address
I think you are overthinking the problem. It is trivial to block forwarding requests using iptables on whatever basis you like.
There is, of-course, a default setting - forwarding can be allowed or denied by default - Your current setting is allowed. Thus to drop a specific host, simply add an iptables rule
iptables -I FORWARD -d sou.rce.ip.add -j DROP
Make sure that you remember to remove your rule to REJECT everything in the forward chain.
Related videos on Youtube
user277820
Updated on September 18, 2022Comments
-
user277820 over 1 year
I use ubuntu as gateway for several hosts. I need advise how to block ip forwarding for specific ip address or specific ip range?
I tried to block ip via ufw deny rules, but it looks like ip forwarding settings cannot be modified via rules and it can be applied only globally (DEFAULT_FORWARD_POLICY in /etc/default/ufw)
Also i tried to change iptables rules directly:
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
After this command ip forwarding reject rule blocks forwarding requests from all of remote hosts.
Update: current iptable output:
root@mtu90:/home/pi# iptables -L -n -v Chain INPUT (policy ACCEPT 5671 packets, 927K bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 172.16.1.77 192 15408 DROP all -- * * 172.16.1.77 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 895 136K all -- * * 0.0.0.0/0 0.0.0.0/0 518 30999 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 119 packets, 14872 bytes) pkts bytes target prot opt in out source destination
-
MadHatter about 10 yearsIt can certainly be modified by
iptables
rules. If you're open to changing them, could you cut-and-paste the output ofiptables -L -n -v
into your question? (It may be possible to do it viaufw
also, I just don't knowufw
.) -
user277820 about 10 yearsplease take a look. i've just updated my question with iptables output
-