# Initial scenario: give a route for FORWARD'ed packets
route add 0.0.0.0/0 eth1

# Source address belong to this range ?
iptables -I INPUT -m iprange --src-range 10.0.0.0-10.0.0.5 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP {IPv4 10.0.0.2 192.168.0.1 0 6 1 2 SYN}
gen_ip IF=eth0 10.0.0.2 192.168.0.1 0 tcp 1 2 SYN

# Source address doesn't belong to this range ?
iptables -I INPUT -m iprange ! --src-range 10.0.0.0-10.0.0.5 -j ACCEPT
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_ACCEPT {IPv4 192.168.0.2 192.168.0.1 0 6 1 2 SYN}
gen_ip IF=eth0 192.168.0.2 192.168.0.1 0 tcp 1 2 SYN

# Destination address belong to this range ?
iptables -I INPUT -m iprange --dst-range 192.168.0.0-192.168.0.255 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP {IPv4 10.0.0.2 192.168.0.1 0 6 1 2 SYN}
gen_ip IF=eth0 10.0.0.2 192.168.0.1 0 tcp 1 2 SYN

# Destination address doesn't belong to this range ?
iptables -I FORWARD -m iprange ! --dst-range 192.168.0.0-192.168.0.255 -j DROP
expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 10.0.0.2 10.0.0.1 0 6 1 2 SYN}
gen_ip IF=eth0 10.0.0.2 10.0.0.1 0 tcp 1 2 SYN

# Source and Destination belong..
iptables -I INPUT -m iprange --src-range 10.0.0.0-10.0.0.5 --dst-range 192.168.0.0-192.168.0.255 -j DROP
expect gen_ip hook:NF_IP_LOCAL_IN iptable_filter NF_DROP {IPv4 10.0.0.2 192.168.0.1 0 6 1 2 SYN}
gen_ip IF=eth0 10.0.0.2 192.168.0.1 0 tcp 1 2 SYN

# Source and Destination doesn't belong..
iptables -I FORWARD -m iprange ! --src-range 10.0.0.0-10.0.0.5 ! --dst-range 192.168.0.0-192.168.0.255 -j DROP
expect gen_ip hook:NF_IP_FORWARD iptable_filter NF_DROP {IPv4 192.168.0.1 10.0.0.2 0 6 1 2 SYN}
gen_ip IF=eth0 192.168.0.1 10.0.0.2 0 tcp 1 2 SYN