Block specific ip using iptables

Keith Hong · Feb 20, 2017

Calling all master network...

I tried to use my AsusWRT-Merlin Router iptable features to block specific static ip range from accessing destination ip other than specified. Others, free for all.

My gateway is 192.168.1.1

I tried to set my static ip lan range from 192.168.1.2 - 192.168.1.20 go through firewall.

but 192.168.1.21 - 192.168.1.155 free from firewall.

firewall ip range only allow to access google.com (172.217.24.238).

any idea how to setup my iptables?

ColinTaylor · Feb 21, 2017

Try using Firewall > Network Services Filter

Keith Hong · Feb 21, 2017

ColinTaylor said:
Try using Firewall > Network Services Filter

That doesn't work as I wish.

I wonder if this works..

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -A INPUT -s 192.168.1.0/20 -d 172.217.24.238 -j ACCEPT #access to google
iptables -A INPUT -s 192.168.1.0/20 -d 216.58.196.69 -j ACCEPT # access to gmail
iptables -A INPUT -s 192.168.1.0/20 -d 202.76.1.12 -j ACCEPT # access to server
iptables -A INPUT -s 192.168.1.21/155 -j ACCEPT # no limit to firewall

Martineau · Feb 21, 2017

Keith Hong said:
That doesn't work as I wish.

I wonder if this works..

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -A INPUT -s 192.168.1.0/20 -d 172.217.24.238 -j ACCEPT #access to google
iptables -A INPUT -s 192.168.1.0/20 -d 216.58.196.69 -j ACCEPT # access to gmail
iptables -A INPUT -s 192.168.1.0/20 -d 202.76.1.12 -j ACCEPT # access to server
iptables -A INPUT -s 192.168.1.21/155 -j ACCEPT # no limit to firewall

No

You should learn how to specify subnet ranges using CIDR notation,

i.e.

Code:

iptables -A INPUT -s 192.168.1.21/155 -j ACCEPT # no limit to firewall

.21/155 does NOT mean addresses .21 through .155 inclusive

Also on the Router the FORWARD chain is used for LAN clients

You can create IPSETs to reduce the number of firewall rules from 23 to 4

Code:

# CIDR, 192.168.1.2-192.168.1.20

   ipset create Group1 hash:net
 
   ipset add Group1 192.168.1.2/31
   ipset add Group1 192.168.1.4/30
   ipset add Group1 192.168.1.8/29
   ipset add Group1 192.168.1.16/30
   ipset add Group1 192.168.1.20
 

# CIDR, 192.168.1.21-192.168.1.155:

   ipset create Group2 hash:net
 
   ipset add Group2 192.168.1.21
   ipset add Group2 192.168.1.22/31
   ipset add Group2 192.168.1.24/29
   ipset add Group2 192.168.1.32/27
   ipset add Group2 192.168.1.64/26
   ipset add Group2 192.168.1.128/28
   ipset add Group2 192.168.1.144/29
   ipset add Group2 192.168.1.152/30

# Now add the Firewall rules using the IPSETs

   iptables -I FORWARD -m set --match-set Group1 src -d 172.217.24.238,216.58.196.69,202.76.1.12 -j ACCEPT
   iptables -I FORWARD -m set --match-set Group2 src                                             -j ACCEPT

or create the 23 individual rules in CIDR format vs the >190??? individual rules

Code:

   iptables -I FORWARD -s 192.168.1.2/31   -d 172.217.24.238 -j ACCEPT
   iptables -I FORWARD -s 192.168.1.4/30   -d 172.217.24.238 -j ACCEPT
   iptables -I FORWARD -s 192.168.1.8/29   -d 172.217.24.238 -j ACCEPT
   iptables -I FORWARD -s 192.168.1.16/30  -d 172.217.24.238 -j ACCEPT
   iptables -I FORWARD -s 192.168.1.20     -d 172.217.24.238 -j ACCEPT
 
   iptables -I FORWARD -s 192.168.1.2/31   -d 216.58.196.69  -j ACCEPT
   iptables -I FORWARD -s 192.168.1.4/30   -d 216.58.196.69  -j ACCEPT
   iptables -I FORWARD -s 192.168.1.8/29   -d 216.58.196.69  -j ACCEPT
   iptables -I FORWARD -s 192.168.1.16/30  -d 216.58.196.69  -j ACCEPT
   iptables -I FORWARD -s 192.168.1.20     -d 216.58.196.69  -j ACCEPT
 
   iptables -I FORWARD -s 192.168.1.2/31   -d 202.76.1.12    -j ACCEPT
   iptables -I FORWARD -s 192.168.1.4/30   -d 202.76.1.12    -j ACCEPT
   iptables -I FORWARD -s 192.168.1.8/29   -d 202.76.1.12    -j ACCEPT
   iptables -I FORWARD -s 192.168.1.16/30  -d 202.76.1.12    -j ACCEPT
   iptables -I FORWARD -s 192.168.1.20     -d 202.76.1.12    -j ACCEPT
 
   iptables -I FORWARD -s 192.168.1.21                       -j ACCEPT
   iptables -I FORWARD -s 192.168.1.22/31                    -j ACCEPT
   iptables -I FORWARD -s 192.168.1.24/29                    -j ACCEPT
   iptables -I FORWARD -s 192.168.1.32/27                    -j ACCEPT
   iptables -I FORWARD -s 192.168.1.64/26                    -j ACCEPT
   iptables -I FORWARD -s 192.168.1.128/28                   -j ACCEPT
   iptables -I FORWARD -s 192.168.1.144/29                   -j ACCEPT
   iptables -I FORWARD -s 192.168.1.152/30                   -j ACCEPT

NOTE: Google and GMail have multiple IP addresses/subnets!

Fitz Mutch · Aug 21, 2017

Martineau said:
You should learn how to specify subnet ranges using CIDR notation

This tool converts IPv4 range to CIDR. Now you don't need an Internet connection to convert an IP range to CIDR. I was cleaning the cutting room floor. Example:

Example

Code:

# range2cidr.sh 0.0.0.1 255.255.255.255
0.0.0.1/32
0.0.0.2/31
0.0.0.4/30
0.0.0.8/29
0.0.0.16/28
0.0.0.32/27
0.0.0.64/26
0.0.0.128/25
0.0.1.0/24
0.0.2.0/23
0.0.4.0/22
0.0.8.0/21
0.0.16.0/20
0.0.32.0/19
0.0.64.0/18
0.0.128.0/17
0.1.0.0/16
0.2.0.0/15
0.4.0.0/14
0.8.0.0/13
0.16.0.0/12
0.32.0.0/11
0.64.0.0/10
0.128.0.0/9
1.0.0.0/8
2.0.0.0/7
4.0.0.0/6
8.0.0.0/5
16.0.0.0/4
32.0.0.0/3
64.0.0.0/2
128.0.0.0/1

/jffs/scripts/range2cidr.sh

Code:

#!/bin/sh
#######################################################################
#
#  This tool converts IPv4 range to CIDR.
#
#  Usage:
#    range2cidr.sh {from-ip} {to-ip}
#
#  Ported from C source code published here:
#    IP Range To Cidr Convertor C Code
#    https://dzone.com/articles/ip-range-cidr-convertor-c-code
#
#######################################################################

# converts a 32-bit number to a binary string of 1's and 0's
num2bin() {
  awk '
  BEGIN {
    n = ARGV[1];
    bits = 32;
    bin = "";
    while (bits-- > 0) {
      bin = (n % 2 == 1 ? "1" : "0") bin;
      n = int(n / 2);
    }
    print bin;
  }
  ' $@
}

# converts a 32-bit number to an IPv4 address string
num2ip() {
  awk '
  BEGIN {
    n = ARGV[1];
    ip = "";
    for (i = 1; i <= 4; i++) {
      m = n % 256;
      n = int(n / 256);
      ip = (ip == "") ? m : m "." ip;
    }
    print ip;
  }
  ' $@
}

# converts an IPv4 address string to a 32-bit number
ip2num() {
  awk '
  BEGIN {
    ip = ARGV[1];
    num = 0;
    len = split(ip, array, ".");
    for (i = 1; i <= len; i++) {
      num *= 256;
      num += array[i];
    }
    print num;
  }
  ' $@
}

# makes all bits on the right side zero
makeRightSideZero() {
  awk '
  BEGIN {
    n = ARGV[1];
    b = ARGV[2];
    shift = 2 ** (b + 1);
    print int(n / shift) * shift;
  }
  ' $@
}

# makes a new IP address for range To
makeRangeTo() {
  awk 'BEGIN {print or(ARGV[1], 2 ** ARGV[2] - 1)}' $@
}

# makes a new IP address for range From
makeRangeFrom() {
  awk 'BEGIN {print or(ARGV[1], 2 ** ARGV[2])}' $@
}

MAX_CIDR_MASK=32
range2cidr() {
  local from=$1
  local to=$2
  local fromIp="$(num2bin $from)"
  local toIp="$(num2bin $to)"
  local newfrom=0
  local cidrStart=0
  let local cidrEnd=MAX_CIDR_MASK-1

  if [ $from -lt $to ]; then

    # Compare the from and to address ranges to get the first
    # point of difference
    while [ "${fromIp:$cidrStart:1}" == "${toIp:$cidrStart:1}" ]; do
      let local cidrStart++
    done
    let local cidrStart=32-cidrStart-1

    # Starting from the found point of difference make all bits on the
    # right side zero
    local newfrom=$(makeRightSideZero $from $cidrStart)

    # Starting from the end iterate reverse direction to find
    # cidrEnd
    while [ "${fromIp:$cidrEnd:1}" == "0" ] && [ "${toIp:$cidrEnd:1}" == "1" ]; do
      let local cidrEnd--
    done
    let local cidrEnd=MAX_CIDR_MASK-1-cidrEnd

    if [ $cidrEnd -le $cidrStart ]; then

      # Make all the bit-shifted bits equal to 1, for iteration #1
      range2cidr $from $(makeRangeTo $newfrom $cidrStart)
      range2cidr $(makeRangeFrom $newfrom $cidrStart) $to

    else
      echo "$(num2ip $newfrom)/$((MAX_CIDR_MASK - cidrEnd))"
    fi

  else
    echo "$(num2ip $from)/$MAX_CIDR_MASK"
  fi
}

if [ $# -ne 2 ]; then
  echo
  echo "Convert IPv4 range to CIDR"
  echo
  echo "Usage: range2cidr.sh {from-ip} {to-ip}"
  echo
else
  addrFrom=$(ip2num "$1")
  addrTo=$(ip2num "$2")
  range2cidr $addrFrom $addrTo
fi

Thread starter	Title	Forum	Replies	Date
T	Block YouTube from specific devices only	Asuswrt-Merlin	2	Dec 29, 2023
	How to block access to specific IP addresses for OpenVPN clients?	Asuswrt-Merlin	0	Jul 2, 2023
S	Asus merlin: How to block communication between two device on the network?	Asuswrt-Merlin	14	Jan 19, 2024
M	Block Internet Access not working immediately	Asuswrt-Merlin	6	May 22, 2023
E	Is there a way to switch a led to a specific colour by calling into a c program ?	Asuswrt-Merlin	10	Apr 7, 2024
P	Is there a way to suppress a specific message from syslog?	Asuswrt-Merlin	0	Mar 15, 2024
	Solved ASUS RT-AC68U router can't reach specific website - known issue?	Asuswrt-Merlin	6	Jan 13, 2024
D	How to restrict VPN network access to certain IP Range or Hosts for specific VPN client	Asuswrt-Merlin	8	Dec 29, 2023
M	Firewall rule to allow only a specific domain name	Asuswrt-Merlin	13	Nov 2, 2023
I	Unable to connect to VPN with specific ISP (and more weird symptoms)	Asuswrt-Merlin	5	Sep 12, 2023

Search

Search

Block specific ip using iptables

Keith Hong

New Around Here

ColinTaylor

Part of the Furniture

Keith Hong

New Around Here

Martineau

Part of the Furniture

Fitz Mutch

Senior Member

Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Members online