Joined: 20 Jul 2014
|Posted: Sun Jul 20, 2014 20:42 Post subject: iptables to block ip address - best way
|I want to block certain IP ranges and I want to do it with best performance. I know that iptables restricts the flow of ip traffic and that save firewall persists. I just don't want to throw in something that simply "works", but rather "works best". I am trying to limit my kid's "covet fashion" addiction.
Should I specify -d or -s (they both work - I tested)
iptables -I FORWARD -s 220.127.116.11/13 -j DROP
iptables -I FORWARD -d 18.104.22.168/13 -j DROP
Will I gain performance by adding my network with a -s or -d? (Internally does the lack of -s or -d for my network equate to 0.0.0.0 though 255.255.255.255?)
iptables -I FORWARD -s 10.0.2.0/24 -d 22.214.171.124/13 -j DROP
iptables -I FORWARD -d 10.0.2.0/24 -s 126.96.36.199/13 -j DROP
What about REJECT vs DROP?
iptables -I FORWARD -s 10.0.2.0/24 -d 188.8.131.52/13 -j REJECT
Is FORWARD the best chain to be using? Would OUTPUT, INPUT, lan2wan even work, perform better (perhaps with a -A instead of -I)?
On another note, does anyone know if I can pull these out of a mysql table with a script and a nicely crafted shell command? Maybe I can add some minimal set of mysql binaries to ddwrt in some way. Would also like to do this mysql with syslogd as well, make the syslogd output go to a mysql table. A page with some approximate help would be great. Don't want to reinvent the wheel if I don't have to. Maybe someday automate a spammer DB or eliminate some of the more thefty countries.
|Per Yngve Berg
Joined: 13 Aug 2013
Location: Romerike, Norway
|Posted: Tue Jul 29, 2014 7:50 Post subject:
|FORWARD handles packets routed through the router i.e from LAN to WAN.
INPUT/OUTPUT packets addressed to the router i.e like using the administration GUI.
DROP just drops the packet, while REJECT sends a reject answer to the source.