[solved]What does this iptable rule mean?

Johan_z · Post by **Johan_z** » 2016/01/28 13:30:31

I am learning using iptables to set up firewall rules.

I read a book, which has this specific IP rule.

# iptables -I OUTPUT ! -d 192.168.0.100/24 -p icmp -j DROP

The book says this rule, "reject all outbound ICMP traffic to all systems on 192.168.0.0/24, except for system with IP address 192.168.0.100/24."

But when I test it, I found this rule does not block any IP on 192.168.0. segment.

Have I done anything wrong?

To show it, I did two different tests. one rule with " -d 192.168.0.100", another with "-d 192.168.0.100/24". It behaves differently.
1. Flush iptables rules.
2. ping 192.168.0.100 and 192.168.0.110, and 192.168.1.1 all successful.
3. Add iptables rule.
4. # iptables -I OUTPUT ! -d 192.168.0.100 -p icmp -j DROP
5. Now I can ping 192.168.0.100, but cannot ping 192.168.0.110, or 192.168.1.1.

Then I did another test, with IP destination as "192.168.0.100/24"
1. Flush iptables rules.
2. ping 192.168.0.100 and 192.168.0.110, and 192.168.1.1 all successful.
3. Add iptables rule.
4. # iptables -I OUTPUT ! -d 192.168.0.100/24 -p icmp -j DROP
5. Now I can ping both 192.168.0.100, 192.168.0.110, but not 192.168.1.1.

So my conclusion is that, in iptables rule, ip address with prefix is translated to whole IP subset IPs. "192.168.0.100/24" and "192.168.0.0/24" are exactly the same.

giulix63 · Post by **giulix63** » 2016/01/28 14:42:23

It strikes me as odd that the same rule may mean one thing and its contrary at the same time (forbid A and allow A), as the book would seem to imply. What it means is:
DROP all ICMP traffic passing through the OUTPUT chain that is NOT directed to 192.168.3.3/24.
If you cannot ping any address on 192.168.3.3/24 must be because of some other rule, local or remote.

Johan_z · Post by **Johan_z** » 2016/01/28 16:37:04

giulix63 wrote:It strikes me as odd that the same rule may mean one thing and its contrary at the same time (forbid A and allow A), as the book would seem to imply. What it means is:
DROP all ICMP traffic passing through the OUTPUT chain that is NOT directed to 192.168.3.3/24.
If you cannot ping any address on 192.168.3.3/24 must be because of some other rule, local or remote.

Thanks for your reply. I have reformatted my post a bit so that it's clearer. Could you take a look?

Post by **TrevorH** » 2016/01/28 17:03:46

And 192.168.0.100/24 means a block of 256 addresses starting at 192.168.0.0 - 255.

giulix63 · Post by **giulix63** » 2016/01/28 17:43:37

See Trevor's explanation above why you can ping both 192.168.0.100 and 192.168.0.110, but not 192.168.1.1 (5). Google "CIDR notation".

Johan_z · Post by **Johan_z** » 2016/01/28 18:13:24

TrevorH wrote:And 192.168.0.100/24 means a block of 256 addresses starting at 192.168.0.0 - 255.

Thanks TrevorH. Now I understand it.

CentOS

[solved]What does this iptable rule mean?

[solved]What does this iptable rule mean?

Re: What does this iptable rule mean?

Re: What does this iptable rule mean?

Re: What does this iptable rule mean?

Re: What does this iptable rule mean?

Re: What does this iptable rule mean?