How to drop all subnets outside of the US using iptables
Posted
by Jim
on Server Fault
See other posts from Server Fault
or by Jim
Published on 2010-03-16T03:49:18Z
Indexed on
2010/03/16
5:06 UTC
Read the original article
Hit count: 411
I want to block all subnets outside the US. I've made a script that has all of the US subnets in it. I want to disallow or DROP all but my list. Can someone give me an example of how I can start by denying everything?
This is the output from -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW
DROP icmp -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And these are the rules
iptables --F
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -j DROP
Just for clarity, with these rules, I can still connect to port 21 without my subnet list. I want to block ALL subnets and just open those inside the US.
© Server Fault or respective owner