How to block all packets not destined to local IP's ?

How to block all packets not destined to local IP's ?

[U.Mutlu]

Subtitle: [xtables geoip] rules not applied to packets for non-configured IP's

Hi,
from the router link (just 1 link) I'm getting traffic for multiple IP's
(a quasi multihomed system, actually a host node and multiple virtual systems therein),
that's correct so, but is there a way to drop all packets to IP's
that are actually not configured on the local system?
Is there a better way than writing a drop/reject-rule for each such IP?

And related to this, I think there is a bug in xtables geoip
because if there is a packet for such a not-configured IP
then the iptables rules (at least geoip rules) aren't applied to such packets.
How to fix this?

Confirmation, fixes and workarounds welcome. Thx.

Re: How to block all packets not destined to local IP's ?

[U.Mutlu]

I solved the problem in 2 steps, in that order:
   drop all packets to unwanted dest ip's
   drop all packets from unwanted cc's

If the IP's are consecutive then one can use a the range option of iptables, like this:
   iptables -A INPUT -m iprange --dst-range x.x.x.210-x.x.x.219 -j DROP

Ie.:
   iptables -A INPUT -m iprange --dst-range x.x.x.210-x.x.x.219 -j DROP
   ...
   iptables -A INPUT -m geoip --src-cc CN -j DROP
   ...


U.Mutlu wrote, On 10/18/2012 03:29 AM:
> Subtitle: [xtables geoip] rules not applied to packets for non-configured IP's
>
> Hi,
> from the router link (just 1 link) I'm getting traffic for multiple IP's
> (a quasi multihomed system, actually a host node and multiple virtual systems therein),
> that's correct so, but is there a way to drop all packets to IP's
> that are actually not configured on the local system?
> Is there a better way than writing a drop/reject-rule for each such IP?
>
> And related to this, I think there is a bug in xtables geoip
> because if there is a packet for such a not-configured IP
> then the iptables rules (at least geoip rules) aren't applied to such packets.
> How to fix this?
>
> Confirmation, fixes and workarounds welcome. Thx.

Re: How to block all packets not destined to local IP's ?

[U.Mutlu]

U.Mutlu wrote, On 10/18/2012 04:04 AM:
> I solved the problem in 2 steps, in that order:
>    drop all packets to unwanted dest ip's
>    drop all packets from unwanted cc's
>
> If the IP's are consecutive then one can use a the range option of iptables, like this:
>    iptables -A INPUT -m iprange --dst-range x.x.x.210-x.x.x.219 -j DROP
>
> Ie.:
>    iptables -A INPUT -m iprange --dst-range x.x.x.210-x.x.x.219 -j DROP
>    ...
>    iptables -A INPUT -m geoip --src-cc CN -j DROP
>    ...

Correction: since all packets to non-local IP's go thru the FORWARD chain
the above example must be changed to:
      iptables -A FORWARD -m iprange --dst-range x.x.x.210-x.x.x.219 -j DROP


> U.Mutlu wrote, On 10/18/2012 03:29 AM:
>> Subtitle: [xtables geoip] rules not applied to packets for non-configured IP's
>>
>> Hi,
>> from the router link (just 1 link) I'm getting traffic for multiple IP's
>> (a quasi multihomed system, actually a host node and multiple virtual systems therein),
>> that's correct so, but is there a way to drop all packets to IP's
>> that are actually not configured on the local system?
>> Is there a better way than writing a drop/reject-rule for each such IP?
>>
>> And related to this, I think there is a bug in xtables geoip
>> because if there is a packet for such a not-configured IP
>> then the iptables rules (at least geoip rules) aren't applied to such packets.
>> How to fix this?

...because they go thru the FORWARD chain, not the INPUT chain!... :-)

Problem solved.