iptables for a /16 subnet with a /24 exception

simply put, i want to use these rules:

iptables -I FORWARD -i br0.105 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD -s 192.168.0.0/16 -i br0.105 -j DROP

but with the exception of the 192.168.99.0/24 subnet.

Is there a way of specifying this in the lines above? I prefer ta not add an exception-rule with -j accept for the .99-subnet, as there are other rules that refer to that particular subnet.


Use a new chain. There are multiple ways to do this, my preference would be this:

iptables -N DROP_BAD_HOSTS
iptables -A DROP_BAD_HOSTS -s 192.168.99.0/24 -j RETURN
iptables -A DROP_BAD_HOSTS -i br0.105 -d 192.168.0.0/16 -j DROP
iptables -A DROP_BAD_HOSTS -i br0.105 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -j DROP_BAD_HOSTS

Notice the first rule does a RETURN if the source is the /24 you want to exclude.

Another method is this, but is less flexible in that you can't add another range to exclude in the future:

iptables -N DROP_BAD_HOSTS
iptables -A DROP_BAD_HOSTS -i br0.105 -d 192.168.0.0/16 -j DROP
iptables -A DROP_BAD_HOSTS -s 192.168.0.0/16 -i br0.105 -j DROP
iptables -A FORWARD ! -s 192.168.99.0/24 -j DROP_BAD_HOSTS

as there are other rules that apply as well

What are other rules? It apply for .99 subnet or It apply for 192.168.0.0/16?

If It just apply for .99 subnet, you only have to move It up, above these two rules.


Create a new chain:

iptables -N subnet1

Direct the exception network to the new chain:

iptables -I FORWARD -i br0.105 -d 192.168.99.0/24 -j subnet1

Apply other rules to traffic in that chain:

iptables -I subnet1 ... -j DROP/ACCEPT