I am learning using iptables to set up firewall rules.
I read a book, which has this specific IP rule.
# iptables -I OUTPUT ! -d 192.168.0.100/24 -p icmp -j DROP
The book says this rule, "reject all outbound ICMP traffic to all systems on 192.168.0.0/24, except for system with IP address 192.168.0.100/24."
But when I test it, I found this rule does not block any IP on 192.168.0. segment.
Have I done anything wrong?
To show it, I did two different tests. one rule with " -d 192.168.0.100", another with "-d 192.168.0.100/24". It behaves differently.
1. Flush iptables rules.
2. ping 192.168.0.100 and 192.168.0.110, and 192.168.1.1 all successful.
3. Add iptables rule.
4. # iptables -I OUTPUT ! -d 192.168.0.100 -p icmp -j DROP
5. Now I can ping 192.168.0.100, but cannot ping 192.168.0.110, or 192.168.1.1.
Then I did another test, with IP destination as "192.168.0.100/24"
1. Flush iptables rules.
2. ping 192.168.0.100 and 192.168.0.110, and 192.168.1.1 all successful.
3. Add iptables rule.
4. # iptables -I OUTPUT ! -d 192.168.0.100/24 -p icmp -j DROP
5. Now I can ping both 192.168.0.100, 192.168.0.110, but not 192.168.1.1.
So my conclusion is that, in iptables rule, ip address with prefix is translated to whole IP subset IPs. "192.168.0.100/24" and "192.168.0.0/24" are exactly the same.
[solved]What does this iptable rule mean?
[solved]What does this iptable rule mean?
Last edited by Johan_z on 2016/01/28 18:12:24, edited 4 times in total.
Re: What does this iptable rule mean?
It strikes me as odd that the same rule may mean one thing and its contrary at the same time (forbid A and allow A), as the book would seem to imply. What it means is:
DROP all ICMP traffic passing through the OUTPUT chain that is NOT directed to 192.168.3.3/24.
If you cannot ping any address on 192.168.3.3/24 must be because of some other rule, local or remote.
DROP all ICMP traffic passing through the OUTPUT chain that is NOT directed to 192.168.3.3/24.
If you cannot ping any address on 192.168.3.3/24 must be because of some other rule, local or remote.
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.
Re: What does this iptable rule mean?
Thanks for your reply. I have reformatted my post a bit so that it's clearer. Could you take a look?giulix63 wrote:It strikes me as odd that the same rule may mean one thing and its contrary at the same time (forbid A and allow A), as the book would seem to imply. What it means is:
DROP all ICMP traffic passing through the OUTPUT chain that is NOT directed to 192.168.3.3/24.
If you cannot ping any address on 192.168.3.3/24 must be because of some other rule, local or remote.
Re: What does this iptable rule mean?
And 192.168.0.100/24 means a block of 256 addresses starting at 192.168.0.0 - 255.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: What does this iptable rule mean?
See Trevor's explanation above why you can ping both 192.168.0.100 and 192.168.0.110, but not 192.168.1.1 (5). Google "CIDR notation".
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.
Re: What does this iptable rule mean?
Thanks TrevorH. Now I understand it.TrevorH wrote:And 192.168.0.100/24 means a block of 256 addresses starting at 192.168.0.0 - 255.