Não consigo negar o acesso a um endereço IP específico ou negar acesso a um intervalo de endereços IP específico também. Meu ambiente de rede é, eu tenho um roteador que IP é (30.30.10.1) e segundo meu hotspot são flashed para DD-WRT com IP (192.168.15.1). Eu precisava negar o acesso do meu hotspot ao meu roteador principal, que é 30.30.10.1 ou todo o intervalo de IP. O comando que salvei nas minhas regras de firewall é listado como abaixo.
iptables -I FORWARD -d 30.30.10.1 -j DROP
iptables -I FORWARD -s 30.30.10.0/24 -j DROP
Depois que eu coloquei as regras do Iptables no meu firewall, eu ainda consegui fazer o login na interface webgui 30.30.10.1. O que há de errado com as regras?
Isso é iptables -L output.
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1751 129K ACCEPT 0 -- tun1 any anywhere anywhere
0 0 ACCEPT 0 -- tun0 any anywhere anywhere
1 84 ACCEPT 0 -- tun1 any anywhere anywhere
4085 444K ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP udp -- vlan2 any anywhere anywhere udp dpt:route
0 0 DROP udp -- br0 any anywhere anywhere udp dpt:route
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:route
0 0 DROP icmp -- vlan2 any anywhere anywhere
0 0 DROP igmp -- any any anywhere anywhere
0 0 ACCEPT 0 -- lo any anywhere anywhere state NEW
0 0 ACCEPT 0 -- br0 any anywhere anywhere state NEW
344 49804 DROP 0 -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- any tun1 anywhere anywhere
0 0 ACCEPT 0 -- tun1 any anywhere anywhere
0 0 ACCEPT 0 -- any tun0 anywhere anywhere
0 0 ACCEPT 0 -- tun0 any anywhere anywhere
0 0 ACCEPT 0 -- any tun1 anywhere anywhere
0 0 ACCEPT 0 -- tun1 any anywhere anywhere
0 0 DROP 0 -- any any 192.168.182.0/24 30.30.15.0/24
0 0 DROP 0 -- any any 192.168.182.0/24 30.30.15.0/24
0 0 ACCEPT gre -- any vlan2 192.168.20.0/24 anywhere
0 0 ACCEPT tcp -- any vlan2 192.168.20.0/24 anywhere tcp dpt:1723
0 0 lan2wan 0 -- any any anywhere anywhere
0 0 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
0 0 ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT 0 -- br0 br0 anywhere anywhere
0 0 TRIGGER 0 -- vlan2 br0 anywhere anywhere TRIGGER type:in match:0 relate:0
0 0 trigger_out 0 -- br0 any anywhere anywhere
0 0 ACCEPT 0 -- br0 any anywhere anywhere state NEW
0 0 DROP 0 -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 7319 packets, 3919K bytes)
pkts bytes target prot opt in out source destination
Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_1 (1 references)
pkts bytes target prot opt in out source destination
Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain lan2wan (1 references)
pkts bytes target prot opt in out source destination
0 0 grp_1 0 -- any any anywhere anywhere
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- any any anywhere anywhere
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- any any anywhere anywhere
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
Chain trigger_out (1 references)
pkts bytes target prot opt in out source destination
Isso é route -n output
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 30.30.15.1 0.0.0.0 UG 0 0 0 vlan2
30.30.15.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
172.16.1.1 172.16.1.46 255.255.255.255 UGH 0 0 0 tun1
172.16.1.46 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
172.16.254.0 172.16.1.46 255.255.255.0 UG 0 0 0 tun1
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.87.0 172.16.1.46 255.255.255.0 UG 0 0 0 tun1
192.168.182.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
Eu sei que esta pergunta tem alguns meses e você pode ter encontrado a solução, mas eu queria lhe dar uma resposta de qualquer maneira. Tenha em mente que as regras FORWARD se aplicam ao tráfego passando através do roteador, não para ou a partir do próprio roteador. Para negar o tráfego ao seu roteador, você precisa criar uma regra INPUT para nomear a rede de origem a ser descartada:
iptables -I INPUT -m iprange --src-range 192.168.15.1-192.168.15.254 -j DROP
Tags networking iptables dd-wrt