What i am trying to do is to DROP any packets to specific UDP port, except those one from my secured subnet 10.8.0.0/24.
iptables -t nat -A --src 10.8.0.0/24 -p udp --destination-port 63210 -j ACCEPT
I get this error: Bad argument: 10.8.0.0/24
I don't understand why this does not work...
- Why this command says IP is bad argument?
- How to DROP any other packets, outside subnet?
- Should i use NAT table?
- How to achieve this?
I've found solution like this:
UPDATE
iptables -N xchain
iptables -A xchain --source 10.8.0.0/24 -j ACCEPT
iptables -A xchain -j DROP
iptables -I INPUT -p udp --dport 63210 -j xchain
After applying this, i cannot access port from ANY ip...
PROBLEM I have OpenVPN server set on tun0 interface, forwarding packets to eth0 like this:
iptables -I FORWARD -i tun0 -o eth0 \
-s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 \
-s 10.8.0.0/24 -j MASQUERADE
Question is, how to catch tun0 traffic and filter it, instead of eth0, where IPs getting real.
1 Answer 1
Rather then trying to block on the NAT table try FORWARD table.
iptables -A FORWARD --src 10.8.0.0/24 -p udp --destination-port 63210 -j ACCEPT
iptables -A FORWARD -p udp --destination-port 63210 -j DROP
This will accept the packets for your lan, and drop everything else (for this port) which are being forwarded through the router - even if NAT is involved. Note that it won't catch requests originating or terminating ON the router itself, for that you would use the INPUT and/or OUTPUT rather then forward chain.
The forward chain is parsed before the NAT chain so you can match source and destination IP addresses in it.
-
well.. i have 10.8.0.0/24 ips only on tun0... ill tryCroll– Croll2015年02月19日 18:45:58 +00:00Commented Feb 19, 2015 at 18:45
-
The rules I provided don't care what interface the traffic is coming in or leaving and will act on all Interfaces.davidgo– davidgo2015年02月19日 19:37:57 +00:00Commented Feb 19, 2015 at 19:37