How to drop all subnets outside of the US using iptables

Posted by Jim on Server Fault See other posts from Server Fault or by Jim
Published on 2010-03-16T03:49:18Z Indexed on 2010/03/16 5:06 UTC
Read the original article Hit count: 405

Filed under:
|
|

I want to block all subnets outside the US. I've made a script that has all of the US subnets in it. I want to disallow or DROP all but my list. Can someone give me an example of how I can start by denying everything?


This is the output from -L

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW
DROP       icmp --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

And these are the rules

iptables --F
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -j DROP

Just for clarity, with these rules, I can still connect to port 21 without my subnet list. I want to block ALL subnets and just open those inside the US.

© Server Fault or respective owner

Related posts about linux

Related posts about firewall