[lolcocks]

Hello,

I am running DD-WRT on my R6400.
I want to disable WAN to a single IP address, lets say 10.0.0.2 for instance.

It's wired but from the R6400 router, it goes to a switch and then the PC.

How can I completely disable internet access to it? I don't even want a single packet to hit the internet from that machine.

[egc]

[lolcocks]

[Wildlion]

iptables -I FORWARD -s 10.0.0.2 -j REJECT --reject-with tcp-reset


This will prevent any packets from that IP address getting forwarded across the NAT router to the internet

This will not prevent packets from being relayed on the switch, since those will not go through the firewall, for that you would need to reconfigure the switch (using something like vlans)

[Per Yngve Berg]

iptables -I FORWARD -s 10.0.0.2 -o `get_wanface` -j REJECT --reject-with tcp-reset

Specify an output interface to prevent traffic to other parts of your network to be blocked.

[pault99]

Remove the Gateway from the static NIC settings on that PC / Laptop.

Providing the PC is logged in as a user, and not Administrator then they will not be able to modify the NIC settings.

[Alozaros]

more elegant way...

iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p tcp -s 10.0.0.2 -j REJECT
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p udp -s 10.0.0.2 -j REJECT

if you need it like that, it will still have the LAN, but no WAN access

or

iptables -I FORWARD -i br0 -s 10.0.0.2 -o `get_wanface` -j REJECT

we have to assume, you have only br0 (Switch + WiFi),otherwise you have to use the default interface...that is concerned...