I use ubuntu as gateway for several hosts. I need advise how to block ip forwarding for specific ip address or specific ip range?
I tried to block ip via ufw deny rules, but it looks like ip forwarding settings cannot be modified via rules and it can be applied only globally (DEFAULT_FORWARD_POLICY in /etc/default/ufw)
Also i tried to change iptables rules directly:
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
After this command ip forwarding reject rule blocks forwarding requests from all of remote hosts.
Update:
current iptable output:
root@mtu90:/home/pi# iptables -L -n -v
Chain INPUT (policy ACCEPT 5671 packets, 927K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 172.16.1.77
192 15408 DROP all -- * * 172.16.1.77 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
895 136K all -- * * 0.0.0.0/0 0.0.0.0/0
518 30999 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 119 packets, 14872 bytes)
pkts bytes target prot opt in out source destination
Best Answer
I think you are overthinking the problem. It is trivial to block forwarding requests using iptables on whatever basis you like.
There is, of-course, a default setting - forwarding can be allowed or denied by default - Your current setting is allowed. Thus to drop a specific host, simply add an iptables rule
Make sure that you remember to remove your rule to REJECT everything in the forward chain.