Eric wrote:Try using:
Code: Select all
iptables -I FORWARD -s 192.168.0.200 -d 192.168.0.0/24 -j ALIEN_1
Thanks Eric good points. So now I'm doing this:
Code: Select all
iptables -N ALIEN_1
iptables -I FORWARD -s 192.168.0.200 -d 192.168.0.0/24 -j ALIEN_1
iptables -A ALIEN_1 -j LOG --log-level info --log-prefix "ALIEN 1 -- DENY "
iptables -A ALIEN_1 -j DROP
Unfortunately, I can still ping any machine on the network from that machine 192.168.0.200. So checking the FORWARD doing:
Code: Select all
iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 571 673K bw_ingress all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0
2 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x8000/0x8000 reject-with icmp-port-unreachable
3 589 674K ingress_restrictions all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0
4 466 67941 egress_restrictions all -- * eth0.1 0.0.0.0/0 0.0.0.0/0
5 0 0 ALIEN_1 all -- * * 192.168.0.200 192.168.0.0/24
6 1100 753K zone_wan_MSSFIX all -- * * 0.0.0.0/0 0.0.0.0/0
7 1091 753K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8 14 1054 forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0
9 14 1054 forward all -- * * 0.0.0.0/0 0.0.0.0/0
10 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
I can see we are certainly no longer at the end of the chain, but @ line 5. Is this still too late ? and if so, is that caused by the firewall.user being included later in /etc/config/firewall ?
BTW, the intention of this is to give one machine internet access only and not see any other machine on the same network. I'm assuming it needs to see the router itself @ 192.168.0.1