My network's DHCP address range goes from 192.168.0.100 to 192.168.0.199 and it's subnet mask is 255.255.255.0.
I want to use iptables to DROP any INPUT (and OUTPUT too, if possible, as I don't want any type of connection with other devices in my network) from this IP range, blocking then all the incoming connections coming from (and outgoing to) my local network.
I think I know how to do this, but I still have some pending stuff to learn...
like, I've seen people saying to set the rule iptables -A INPUT -s 192.168.0.100/24 -j DROP
, but I don't know if it's right for my network, since I don't know what this "/24" stands for in this rule, and I've seen people using "/16
" ou "/32
" in other cases, so I feel a little confused about it all.
In some answers and threads, I have also seen people saying about the rule:
iptables -A INPUT -m iprange --src-range 192.168.0.100-192.168.0.199 -j DROP
, but these threads are old and I don't know if it is the best option for blocking what I am asking about.
So, since I feel confused, I am asking here for some networking/iptables/Linux more advanced mind who can explain me this better and tell me what rule should I use to do this.
EDIT #1:
I currently already iptables -P DROP
the INPUT, OUTPUT and FORWARD chains, and have the two following rules:
iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
regarding this last one, should I change "-m state --state" to "-m conntrack --ctstate" or are both the same thing?
-m conntrack
because-m state
is deprecated. They are functionally equivalent.-m iprange --src-range 192.168.0.100-192.168.0.199
deprecated too in relation to, for example,-s 192.168.0.100/24
?