blocking traffic to destination network by port

herot · December 7, 2011, 9:12am

I am trying to block ALL traffic except when from ports 9100,22,23 to destination network 192.0.0.0 (my WAN): 2 networks 192.0.3.0 with static route to 192.0.0.0

Shouldn't this work?:

iptables -A INPUT -p tcp -d 192.0.0.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -d 192.0.0.0/24 --dport 23 -j ACCEPT
iptables -A INPUT -p tcp -d 192.0.0.0/24 --dport 9100 -j ACCEPT
iptables -A INPUT -d 192.0.0.0/24 -j DROP

I tried it but it blocked everything on my router and cut off internet access.
Should I but the "DROP" line before the "ACCEPT" lines?

jim_mcnamara · December 7, 2011, 6:10pm

DROP supercedes the previous lines. No traffic will be allowed. Yes, try moving it above the ACCEPT lines.

herot · December 8, 2011, 9:09am

what worries me is why it cut off all internet access on the 192.0.3.0... I only wanted affect traffic to the 192.0.0.0?

---------- Post updated 12-08-11 at 09:09 AM ---------- Previous update was 12-07-11 at 09:44 PM ----------

OK, I can't get this to work at all:

iptables -A INPUT -d 192.0.0.0/24 -j DROP

But the traffic is still getting through from 192.0.3.0/24 to 192.0.0.0/24 ??

What is the correct command to stop that traffic?

Corona688 · December 8, 2011, 10:09am

Why? Aren't they executed in order? Why won't it reach the ACCEPT lines first?