OpenWrt Forum Archive

Topic: Trying to block user from IP range

The content of this topic has been archived on 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
JimWright
9 Apr 2009, 06:56

Trying to set up a block for Yahoo messenger, this app connects on various open ports, including 80, so the best way I can figure is to block the IP ranges used by Yahoo servers.  Some research found a number of servers used for chat, including login.yahoo.com (69.147.112.160), but I can't seem to find the right way to filter these in iptables.

Here's a clip of my firewall.user file (White Russian 0.9) with the relevant commands.

#!/bin/sh
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule


#drop
iptables -t nat -A prerouting_rule  -s 66.163.0.0/16 -j DROP
iptables -t nat -A prerouting_rule  -s 67.195.186.0/24 -j DROP
iptables -t nat -A prerouting_rule  -s 68.142.230.0/24 -j DROP
iptables -t nat -A prerouting_rule  -s 69.147.112.0/24 -j DROP
iptables -t nat -A prerouting_rule  -s 98.136.112.0/24 -j DROP
iptables -t nat -A prerouting_rule  -s 208.69.32.0/24 -j DROP
iptables -t nat -A prerouting_rule  -s 216.136.0.0/16 -j DROP

I've also tried the above on the input_rule and output_rule, no success, after committing changes, I can still use a web browser and reach login.yahoo.com.

Post #2
Bill_MI
10 Apr 2009, 07:39

Something to try from someone blocking outbound successfully in WR0.9 (but I'm no expert)...

iptables -A forwarding_rule -i $LAN -o $WAN -d 69.147.112.0/24 -j DROP
Post #3
JimWright
11 Apr 2009, 00:10

This worked!  Thanks!

The discussion might have continued from here.