Blocking Users using IP addresses

ice04 · September 7, 2005, 7:54pm

Hi all,

My apologies if the same has been asked before, my problem is that i am
sharing my broadband connection with other users, at home

My MT details as follows

e1 Public IP address /30

e2 Private IP address /24
Public IP address /29

MT O/s ver 2.9 Routerboard 230

I have a number of users on both the Private and Public
range of IP addresses and would like to disconnect a user
when needed based on IP address and not mac address
if possible

If any one has some suggestions please advice

Thanks
Imran

timatics · September 7, 2005, 8:08pm

use the forward firewall chain:

ip firewall filter add chain=forward src-address=x.x.x.x action=drop

you may also want to do the same with the dst-address

tim

ice04 · September 8, 2005, 12:31pm

Hi,

Thank you for the quick response, i have just tried that out and get a
bad source address message, my command is as follows

ip firewall > add src-address=10.0.0.21 action=drop

Please advice

Thanks
Imran

timatics · September 8, 2005, 1:35pm

in 2.9 you must set the filter chain, do the command exacly like my example, and see if you still get the error.
ip firewall filter> add chain=forward src-address=10.0.0.21 action=drop

for the private ip’s you may have to put the drop rule in the nat chain
ip firewalll nat> src-address=10.0.0.21 action=drop

tim

ice04 · September 8, 2005, 3:39pm

Hi Tim

I got around by doing the following :-

ip firewall rule forward > add dst-address=10.0.0.21/24: 0-65000(ports)
action=drop

The same for src-address, and it worked

Will try out your suggestion and post

Thanks,
Imran

timatics · September 8, 2005, 7:50pm

are you ussing 2.8 ?

tim

ice04 · September 10, 2005, 2:58pm

Hi Tim,

Yes i am using O/s ver 2.8 Router board 230

Thanks,
Imran

ice04 · October 26, 2005, 1:58pm

Hi Tim,

I have a new problem, layout as follows :-

E1 > Public IP add /30

E2 > Private 192.168.0.1/24, private 10.0.0.1/24, public x.x.x.x/29

I want to restict users by using Queue/simple and have managed to control bandwidth being used

My problem is when i go to ip/firewall/rule/forward >
and use the command add dst-address 10.0.0.0/24:0-65000 action= deny
and dd dst-address 10.0.0.100/24:0-65000 action= allow

Now what happens is that the whole block goes off and no one can
access the net, i want to block the whole subnet and only allow specific
ip adds, to access the net

Thanks
Imran

yancho · October 26, 2005, 2:46pm

First put allow(accept) rules then drop. And subnet mask for one host is /32 like 10.0.0.100/32.

ice04 · October 31, 2005, 12:27pm

Hi Yancho

Works like magic,

Thanks
Imran