Hi Frank, thx for you prompt answer! Two questions on your comments: - Thy is DROP bad here? As I see REJECT would send an error message back to the source, but this would not make any sense on packets coming on the WAN interface with private IP addresses, or am I wrong? - Why is INPUT not appropriated here? Should I do the dropping earlier perhaps in the mangle table? And yes I will do something similiar in the FORWARD chain :-) Thx again! Cheers, Markus -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Frank Gruellich Sent: Monday, May 31, 2004 12:08 PM To: netfilter Subject: Re: Filtering multiple networks * Markus Zeilinger <mz@xxxxxxxxxxxxxxxxxx> 31. May 04: > Hi all, Hello, > sorry if this is a stupid question, I am just a newbie with iptables. Okay. > Now I would like to drop Drop is considered to be bad. Maybe you should prefer REJECT. > all packets coming on the Internet interface on the firewall with > source address out of the private IP address ranges (10.0.0.0/8, > 192.168.0.0/16, 172.16.0.0/12 and 169.254.0.0/16). You have to split it. > I use the following syntax in my script: > > ... > WAN_IFACE="eth0" > PRIV_IP="10.0.0.0/8,192.168.0.0/16,172.16.0.0/12,169.254.0.0/16" PRIV_IP="10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 169.254.0.0/16" > iptables -A INPUT -i $WAN_IFACE -s $PRIV_IP -j DROP Well, INPUT isn't very appropriated, but: for ip in $PRIV_IP; do iptables -A INPUT -i $WAN_IFACE -s $ip -j DROP; done Maybe you should have something like this in your FORWARD, too. HTH, regards, Frank. -- Sigmentation fault
