My network's DHCP address range goes from 192.168.0.100 to 192.168.0.199 and it's subnet mask is 255.255.255.0.
I want to use iptables to DROP any INPUT (and OUTPUT too, if possible, as I don't want any type of connection with other devices in my network) from this IP range, blocking then all the incoming connections coming from (and outgoing to) my local network.
I think I know how to do this, but I still have some pending stuff to learn…
like, I've seen people saying to set the rule iptables -A INPUT -s 192.168.0.100/24 -j DROP, but I don't know if it's right for my network, since I don't know what this "/24" stands for in this rule, and I've seen people using "/16" ou "/32" in other cases, so I feel a little confused about it all.
In some answers and threads, I have also seen people saying about the rule:
iptables -A INPUT -m iprange --src-range 192.168.0.100-192.168.0.199 -j DROP, but these threads are old and I don't know if it is the best option for blocking what I am asking about.
So, since I feel confused, I am asking here for some networking/iptables/Linux more advanced mind who can explain me this better and tell me what rule should I use to do this.
EDIT #1:
I currently already iptables -P DROP the INPUT, OUTPUT and FORWARD chains, and have the two following rules:
iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
regarding this last one, should I change "-m state –state" to "-m conntrack –ctstate" or are both the same thing?
Best Answer
It is the size of the network in slash notation
/24 = 255.255.255.0in "netmask" notation. (It specifies how large a subnet can be - machines in the subnet will have the same prefix of IP addresses)What you want to achieve (if I understood correctly) is to block incoming traffic from other devices that gain their IP address from the DHCP server.
-Ameans append so make sure you are not allowing the connection that should be dropped before this rule (or specify-I INPUT <number_of_desired_position>as "insert" )-mstands for "match" - which module you wish to use (because you wish to use an ip range a special module is loaded and it "matches" the addresses for you - in the same manner you can create a stateful firewall)now you permit any other connection (if you have a permissive policy you are fine to skip)
Now outgoing traffic, because you are dropping the incomming connections you will not be able to establish a connection to any other machine in the range, but your packets will still be able to try to connect (your machine could try to start connection but would never be able to establish it because of no answer from remote machine - that is true for TCP at least)
So you should be fine leaving it accepted.
But if you wish to have ability to connect to other machines in the subnet (e.g. connect to an http server in the specified range) you can do that by adding the:
the
--state ESTABLISHEDis there for enabling a stateful connections (those which you tried to iniciate)