2

I have configured Ubuntu machine as router. Steps of NAT configuration are given below:

        #iptables -F
        #iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
        #iptables-save > /etc/network/iptables

Then kept this file location in rc.local

#vi /etc/rc.local

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.  
#  
/sbin/iptables-restore < /etc/network/iptables 
# In order to enable or disable this script just change the execution  
# bits.  
#  
# By default this script does nothing.
exit 0

#reboot

It works, Now I want to block an ip address. To do this, I have executed following command:

#iptables -A INPUT -s   69.171.229.11 -j DROP    
#iptables-save >  /etc/network/iptables    
#reboot

But it does not work.

vi /etc/network/iptables now look like this:

 # Generated by iptables-save v1.4.4 on Tue Feb 14 11:21:16 2012
*nat
:PREROUTING ACCEPT [870:97719]
:POSTROUTING ACCEPT [283:23151]
:OUTPUT ACCEPT [461:28753]
-A POSTROUTING -o eth0 -j MASQUERADE   COMMIT
 # Completed on Tue Feb 14 11:21:16 2012
 # Generated by iptables-save v1.4.4 on Tue Feb 14 11:21:16 2012
*filter
:INPUT ACCEPT [4914:3254723]
:FORWARD ACCEPT [2382:1222521]
:OUTPUT ACCEPT [4010:410041]
-A INPUT -s 98.137.149.56/32 -j DROP 
COMMIT
 # Completed on Tue Feb 14 11:21:16 2012

What am I missing to block an ip address?

Jenny D
  • 27,358
  • 21
  • 74
  • 110
Jerry
  • 179
  • 2
  • 8
  • 19
  • 1
    After you execute this what is the output of `iptables -L -v -n`? – Mark Wagner Feb 14 '12 at 08:44
  • 1
    Are you trying to block the IP from connecting *to* the machine? Or from routing *through* the machine? The `INPUT` chain is only for packets that are delivered locally. (Check `ip route show table local` to see what is local.) – David Schwartz Feb 14 '12 at 08:49

3 Answers3

5

If you want to block an IP from using the MASQUERADE rule you need to put that rule in the FORWARD chain, not the INPUT chain.

iptables -I FORWARD -s 69.171.229.11 -j DROP
phemmer
  • 5,789
  • 2
  • 26
  • 35
0

I think the sequence is not correct.

What you are doing with append is putting it on the bottom of the chain. IPtables stops after the first match. So it can be that the rule is matched just before it hits the block rule. Make sure the blocking rule is on top. You can use the -I option to insert it at a specific spot in your chain.

Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92
  • While it is true that the order of rules in iptables matters, by the looks of it he only has one rule in them. The rest are just the policies, which always are shown first with iptables -S and always are evaluated last. – G. Bach Feb 15 '12 at 10:25
0

iptables-save does not make your iptables rules persistent, so they will be lost after reboot. Instead, what it does is it prints your current iptables configuration to STDOUT (see manpages for iptables-save). So after your reboot, your iptables should be empty.

You probably want to restore your rules from that file after a reboot. To do so, use

iptables-restore < /etc/network/iptables

See manpages for iptables-restore on this.

As mentioned by Patrick, the rule

iptables -A INPUT -s 69.171.229.11 -j DROP

will only prevent packets from being sent to the router itself - they will still be forwarded through if they are addressed correctly. To prevent that, add the rule

iptables -A FORWARD -s 69.171.229.11 -j DROP

FORWARD is applied to packets the router wants to forward, while INPUT is applied to packets that are addressed to the router itself.

G. Bach
  • 278
  • 3
  • 9