2

My network's DHCP address range goes from 192.168.0.100 to 192.168.0.199 and it's subnet mask is 255.255.255.0.

I want to use iptables to DROP any INPUT (and OUTPUT too, if possible, as I don't want any type of connection with other devices in my network) from this IP range, blocking then all the incoming connections coming from (and outgoing to) my local network.

I think I know how to do this, but I still have some pending stuff to learn...

like, I've seen people saying to set the rule iptables -A INPUT -s 192.168.0.100/24 -j DROP, but I don't know if it's right for my network, since I don't know what this "/24" stands for in this rule, and I've seen people using "/16" ou "/32" in other cases, so I feel a little confused about it all.

In some answers and threads, I have also seen people saying about the rule: iptables -A INPUT -m iprange --src-range 192.168.0.100-192.168.0.199 -j DROP, but these threads are old and I don't know if it is the best option for blocking what I am asking about.

So, since I feel confused, I am asking here for some networking/iptables/Linux more advanced mind who can explain me this better and tell me what rule should I use to do this.

EDIT #1:

I currently already iptables -P DROP the INPUT, OUTPUT and FORWARD chains, and have the two following rules:

iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT

iptables -I OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

regarding this last one, should I change "-m state --state" to "-m conntrack --ctstate" or are both the same thing?

Improve this question
3
  • You should use -m conntrack because -m state is deprecated. They are functionally equivalent.
    – Michael Hampton
    Commented Feb 15, 2019 at 15:58
  • so, isn't -m iprange --src-range 192.168.0.100-192.168.0.199 deprecated too in relation to, for example, -s 192.168.0.100/24?
    – deniable_encryption
    Commented Feb 15, 2019 at 18:22
  • 192.168.0.100/24 (it should be 192.168.0.0/24) is not the same as the range 100-199 because 192.168.0.0/24 containes addresses 0-255 ( minus reserved for broadcast and network (but not true for point-to-point - not your case) ) And according to man-page iprange is not deprecated.
    – ILikeMatDotH
    Commented Feb 15, 2019 at 18:44

1 Answer 1

Reset to default
3

since I don't know what this "/24" stands for in this rule, and I've seen people using "/16" ou "/32" in other cases, so I feel a little confused about it all.

It is the size of the network in slash notation /24 = 255.255.255.0 in "netmask" notation. (It specifies how large a subnet can be - machines in the subnet will have the same prefix of IP addresses)

What you want to achieve (if I understood correctly) is to block incoming traffic from other devices that gain their IP address from the DHCP server. 

 iptables -A INPUT -m iprange --src-range 192.168.0.100-192.168.0.199 -j DROP

-A means append so make sure you are not allowing the connection that should be dropped before this rule (or specify -I INPUT <number_of_desired_position> as "insert" )

-mstands for "match" - which module you wish to use (because you wish to use an ip range a special module is loaded and it "matches" the addresses for you - in the same manner you can create a stateful firewall)

now you permit any other connection (if you have a permissive policy you are fine to skip)

iptables -A INPUT -j ACCEPT

Now outgoing traffic, because you are dropping the incomming connections you will not be able to establish a connection to any other machine in the range, but your packets will still be able to try to connect (your machine could try to start connection but would never be able to establish it because of no answer from remote machine - that is true for TCP at least)

So you should be fine leaving it accepted.

But if you wish to have ability to connect to other machines in the subnet (e.g. connect to an http server in the specified range) you can do that by adding the:

iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT

the --state ESTABLISHED is there for enabling a stateful connections (those which you tried to iniciate)

Improve this answer
10
  • 1
    so, with all the chains -P DROP'd, which rule should I add firstly in their rulesets to things to work properly? should I -I INPUT -m state --state ESTABLISHED -j ACCEPT and -A INPUT -m iprange --src-range 192.168.0.100-192.168.0.199 -j DROP or -A INPUT -m state --state ESTABLISHED -j ACCEPT and -I INPUT -m iprange --src-range 192.168.0.100-192.168.0.199 -j DROP?
    – deniable_encryption
    Commented Feb 15, 2019 at 18:29
  • If you have flushed your iptables (contiaining no rules) You can go with -A INPUT -m conntrack --state ESTABLISHED -j ACCEPT; -A INPUT -m iprange ... or to first one of the two you mentioned (append is always append at the end - in current state - in the same manner insert without number is insert at the beginning
    – ILikeMatDotH
    Commented Feb 15, 2019 at 18:39
  • so I should append (-A) both of the rules? even when I want one of them upper in the ruleset?
    – deniable_encryption
    Commented Feb 15, 2019 at 18:40
  • Ok - look you have no rule in list. [''] <- this is your list, you append one at the end, let say it is rule 'A'. ['A'] <- this is your list now. Now again we will append a rule, but now it will be rule B. ['A','B'] <- is your list now, (note the first rule is on the left). You append to the end, but that does not mean it will stand at the end forever.
    – ILikeMatDotH
    Commented Feb 15, 2019 at 18:48
  • So adding with -A work like a 'arrival order', when the ones that were added first stay in the top of the 'list'? and -I is like a 'cheat' to jump the line and stay in the first or another wanted position?
    – deniable_encryption
    Commented Feb 15, 2019 at 18:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .