To block traffic at layer 2 by mac address, execute:
iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j DROP
-m - specifies an extension module to test for a specific property. You can see a list of possible command line options for a specific module by adding on a -h after the "-m mac" option, in this case, --mac-source is the only available option for this module. You can see a list of all possible modules in the man page of iptables-extensions.
--mac-source - source mac address of the ethernet frame to drop.
To block ping requests, execute:
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
-p icmp - specifies the protocol of the packet to check
--icmp-type - the type of icmp packet to match. A full list of possibilities can be seen by executing iptables -p icmp -h. You can also add on --reject-with option if you want to provide more information to the source of the ping.
To block a range of addresses, execute:
iptables -A INPUT -m iprange --src-range 1.1.1.1-1.1.1.10 -j DROP
-m iprange - specifies an extension module to test for a specific property. You can see a list of possible command line options for a specific module by adding on a -h after the "-m iprange" option, in this case, --src-range and --dst-range are the only available option for this module.
No comments:
Post a Comment