Isolate misbehaving IP on wlan

Got problems with your B2 or B3? Share and get helped!
Post Reply
Ancan
Posts: 16
Joined: 17 May 2011, 11:52

Isolate misbehaving IP on wlan

Post by Ancan » 28 Feb 2012, 12:51

Hi all,

We have a device that I for different reasons want to be able to isolate from the network from time to time, and I want to do this programatically from the bubba (which is our router/firewall). The device have IP-address 192.168.0.77 and is on the WLAN.

I've tried blackhole routing with:

route add -host 192.168.0.77 gw 127.0.0.1

But it doesn't seems to take.

Then I tried adding a drop-rule using iptables:

iptables -A INPUT -s 192.168.0.77 -j DROP

Didn't work either. meh...

Anyone got any ideas?

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Isolate misbehaving IP on wlan

Post by Ubi » 28 Feb 2012, 17:15

I think you missed the "lo" on the end of your route statement.
How does this work?

Code: Select all

route add -host IP-ADDRESS reject
netstat -nr
route -n
?
(source: http://www.cyberciti.biz/tips/how-do-i- ... outes.html)

Ancan
Posts: 16
Joined: 17 May 2011, 11:52

Re: Isolate misbehaving IP on wlan

Post by Ancan » 01 Mar 2012, 14:04

Ty. I haven't been able to test yet, but will as soon as I can.

Ancan
Posts: 16
Joined: 17 May 2011, 11:52

Re: Isolate misbehaving IP on wlan

Post by Ancan » 05 Mar 2012, 11:52

Grrr, it doesn't work. I can block it from getting a address from DHCP, but once it's up and running it seems to sneak by the routing tables to the internet. Neither iptables nor route seems to affect it once it's up.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Isolate misbehaving IP on wlan

Post by Ubi » 05 Mar 2012, 16:13

so you see the traffic appear in iptraf? It almost sounds like there is another routing device on your network.

kenned
Posts: 12
Joined: 27 Feb 2011, 13:55

Re: Isolate misbehaving IP on wlan

Post by kenned » 21 Mar 2012, 05:51

The INPUT chain in iptables is for traffic to the b3 itself - connecting to it's webserver or it's samba server etc.
So when you DROP packets from the offending IP in the INPUT chain it just means the b3 will not serve stuff to it.

You want to block it in the FORWARD chain instead, which is where the b3 does the NAT/routing stuff.
Something like

Code: Select all

iptables -I 1 FORWARD -s 192.168.0.77 -j DROP

Post Reply