5 Mayıs 2020 Salı

Block range of RFC1918 from external interface

We have to find out the external interface. You can find by ip route get 8.8.8.8 command. You will see a multi-column row after the run. The 5th value of this row shows your external interface. You can also get the interface name by using awk command as shown below.  We exporting interface name to make process easier. You can block RFC1918 subnets from the external interface to prevent these to go out by command that I prepared below. You can also replace $INET_IFACE variable by hard-coded way such as eth0. I found my external by this command: ip route get 8.8.8.8 | awk -- '{printf $5}'

export INET_IFACE=$(ip route get 8.8.8.8 | awk -- '{printf $5}')
iptables -A FORWARD -o $INET_IFACE -d 10.0.0.0/8 -j REJECT 
iptables -A FORWARD -o $INET_IFACE -d 172.16.0.0/12 -j REJECT 
iptables -A FORWARD -o $INET_IFACE -d 192.168.0.0/16 -j REJECT
iptables -A FORWARD -o $INET_IFACE -d 100.64.0.0/10 -j REJECT
iptables -A FORWARD -o $INET_IFACE -d 169.254.0.0/16 -j REJECT

Hard-coded way:

iptables -A FORWARD -o eth0 -d 10.0.0.0/8 -j REJECT 
iptables -A FORWARD -o eth0 -d 172.16.0.0/12 -j REJECT 
iptables -A FORWARD -o eth0 -d 192.168.0.0/16 -j REJECT
iptables -A FORWARD -o eth0 -d 100.64.0.0/10 -j REJECT
iptables -A FORWARD -o eth0 -d 169.254.0.0/16 -j REJECT
Share: