iptables for a /16 subnet with a /24 exception
simply put, i want to use these rules:
iptables -I FORWARD -i br0.105 -d 192.168.0.0/16 -j DROP
iptables -I FORWARD -s 192.168.0.0/16 -i br0.105 -j DROP
but with the exception of the 192.168.99.0/24 subnet.
Is there a way of specifying this in the lines above? I prefer ta not add an exception-rule with -j accept
for the .99
-subnet, as there are other rules that refer to that particular subnet.
Use a new chain. There are multiple ways to do this, my preference would be this:
iptables -N DROP_BAD_HOSTS
iptables -A DROP_BAD_HOSTS -s 192.168.99.0/24 -j RETURN
iptables -A DROP_BAD_HOSTS -i br0.105 -d 192.168.0.0/16 -j DROP
iptables -A DROP_BAD_HOSTS -i br0.105 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -j DROP_BAD_HOSTS
Notice the first rule does a RETURN if the source is the /24 you want to exclude.
Another method is this, but is less flexible in that you can't add another range to exclude in the future:
iptables -N DROP_BAD_HOSTS
iptables -A DROP_BAD_HOSTS -i br0.105 -d 192.168.0.0/16 -j DROP
iptables -A DROP_BAD_HOSTS -s 192.168.0.0/16 -i br0.105 -j DROP
iptables -A FORWARD ! -s 192.168.99.0/24 -j DROP_BAD_HOSTS
as there are other rules that apply as well
What are other rules? It apply for .99 subnet or It apply for 192.168.0.0/16?
If It just apply for .99 subnet, you only have to move It up, above these two rules.
Create a new chain:
iptables -N subnet1
Direct the exception network to the new chain:
iptables -I FORWARD -i br0.105 -d 192.168.99.0/24 -j subnet1
Apply other rules to traffic in that chain:
iptables -I subnet1 ... -j DROP/ACCEPT