Iptables block 1 ip, nat

iptables

I have a server with 2 interfaces. a small netework connects to eth0 and gets out to internet on eth1.
To allow 1 ip to nat I use

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.23 -j SNAT --to-source=23.x.x.x

I would like to add a rule that allow a single ip do nat and block the others already existing in iptables(without deleting them)

iptables -t nat -A POSTROUTING -o OUT_IF \! -s ip_sursa -j SNAT --to-source=x3.xxx.1xx.1xx -j DROP

would work?

Or, to allow only 1 ip to pass over eth0 to eth1 and do nat.

Best Answer

It is not recommended to use DROP in the NAT table. It is better to do this the filter table if you want to deny the access to these IP addresses.

Otherwise, you can use a different rule to NAT these IPs to a different public IP.

Update

Here are the rules you need to allow only one IP (192.168.0.100)

iptables -A FORWARD -o eth1 -s 192.168.0.100 -j ACCEPT
iptables -A FORWARD -o eth1 -s 192.168.0.0/24 -j DROP
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.100 -j SNAT --to-source=23.x.x.x

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Iptables – Unable to ping to outside network from behind a Linux router

Have you enabled packet forwarding by the kernel?

echo 1 > /proc/sys/net/ipv4/ip_forward

Can you also paste your full iptables rules?

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Iptables – Unable to ping to outside network from behind a Linux router

Related Topic