Hi;
Running ClearOS 6.7 as a gateway/DHCP server. I have a series of devices - my 'intranet of things' - that I'd like to block from accessing the Internet, and I've got firewall rules set up for each individual device. This is working. They're all in the same range of IPs though, and I'd like one rule that covers the entire range rather than having to remember to update the firewall each time I plug something new in.
Here's what works now:
If I try to block the whole range of .120 to .130 by entering this:
Further, I'd like to allow SMTP traffic outbound from these devices so that they send an e-mail if there's something wrong. I have this working on an individual basis, with the firewall blocking all traffic from eth1 to eth0, and then the next rule allowing traffic on port 25:
I'd like to do this for the entire range too, rather than having to create a new rule for each device.
Any suggestions? I can't for the life of me figure out why the IP range isn't working.
Thanks in advance.
Running ClearOS 6.7 as a gateway/DHCP server. I have a series of devices - my 'intranet of things' - that I'd like to block from accessing the Internet, and I've got firewall rules set up for each individual device. This is working. They're all in the same range of IPs though, and I'd like one rule that covers the entire range rather than having to remember to update the firewall each time I plug something new in.
Here's what works now:
iptables -I FORWARD -i eth1 -o eth0 -s 10.10.10.123 -j DROP
If I try to block the whole range of .120 to .130 by entering this:
iptables -I FORWARD -i eth1 -o eth0 -s 10.10.10.120-10.10.10.130 -j DROP
then nothing works.Further, I'd like to allow SMTP traffic outbound from these devices so that they send an e-mail if there's something wrong. I have this working on an individual basis, with the firewall blocking all traffic from eth1 to eth0, and then the next rule allowing traffic on port 25:
iptables -I FORWARD -s 10.10.10.119 -p tcp --dport 25 -j ACCEPT
I'd like to do this for the entire range too, rather than having to create a new rule for each device.
Any suggestions? I can't for the life of me figure out why the IP range isn't working.
Thanks in advance.
In Firewall
Share this post:
Responses (2)
-
Accepted Answer
-
Accepted Answer
Have a look at this man page. It looks like you have to load the module iprange, so:
It is much easier to block by subnet where you could use:iptables -I FORWARD -i eth1 -o eth0 -m iprange --src-range 10.10.10.120-10.10.10.130 -j DROP
This would cover 10.10.10.112-10.10.10.127, but you'd need a small rethink on how you've segmented your LANiptables -I FORWARD -i eth1 -o eth0 -s 10.10.10.112/28 -j DROP
To allow the range for SMTP you'd need two rules. You could use a block all then and allow tcp:25. If using custom firewall rules make sure the allow rule goes second. As it gets applied second it appears higher up the iptables listing so takes precedence. Alternatively you can do it by blocking all udp (-p udp) for the IP range and blocking all tcp except port 25 for the same range (-p tcp ! --dport 25). Rule ordering for the the alternative way does not matter.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »