iptables to block ip address - best way

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
rsandoz
DD-WRT Novice


Joined: 20 Jul 2014
Posts: 1

PostPosted: Sun Jul 20, 2014 20:42    Post subject: iptables to block ip address - best way Reply with quote
I want to block certain IP ranges and I want to do it with best performance. I know that iptables restricts the flow of ip traffic and that save firewall persists. I just don't want to throw in something that simply "works", but rather "works best". I am trying to limit my kid's "covet fashion" addiction.

Should I specify -d or -s (they both work - I tested)
iptables -I FORWARD -s 184.24.0.0/13 -j DROP
iptables -I FORWARD -d 184.24.0.0/13 -j DROP

Will I gain performance by adding my network with a -s or -d? (Internally does the lack of -s or -d for my network equate to 0.0.0.0 though 255.255.255.255?)
iptables -I FORWARD -s 10.0.2.0/24 -d 184.24.0.0/13 -j DROP
iptables -I FORWARD -d 10.0.2.0/24 -s 184.24.0.0/13 -j DROP

What about REJECT vs DROP?
iptables -I FORWARD -s 10.0.2.0/24 -d 184.24.0.0/13 -j REJECT

Is FORWARD the best chain to be using? Would OUTPUT, INPUT, lan2wan even work, perform better (perhaps with a -A instead of -I)?

On another note, does anyone know if I can pull these out of a mysql table with a script and a nicely crafted shell command? Maybe I can add some minimal set of mysql binaries to ddwrt in some way. Would also like to do this mysql with syslogd as well, make the syslogd output go to a mysql table. A page with some approximate help would be great. Don't want to reinvent the wheel if I don't have to. Maybe someday automate a spammer DB or eliminate some of the more thefty countries.
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5858
Location: Romerike, Norway

PostPosted: Tue Jul 29, 2014 7:50    Post subject: Reply with quote
FORWARD handles packets routed through the router i.e from LAN to WAN.

INPUT/OUTPUT packets addressed to the router i.e like using the administration GUI.

DROP just drops the packet, while REJECT sends a reject answer to the source.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum