OpenWrt Forum Archive

Topic: [solved] Question - How Block specific IP ranges?

The content of this topic has been archived on 4 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
euphoria360
1 May 2016, 10:16

Hi.

I want to block internet access to a specific range of IP addresses. Here is my Network Settings:

LAN Range: 192.168.48.0/24
DHCP serves dynamic IP's in this range: 192.168.48.100-192.168.48.254
I want to block internet access to this range: 192.168.48.150-192.168.48.200

The thing is, I dont want to block the whole subnet, just part of it.
How can I do this? is it possible via luci?
if not, is possible by editing uci config file "/etc/config/firewall" or I should use pure custom iptables commands?

BTW, this is my /etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'DROP'
        option output 'DROP'
        option forward 'DROP'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config include
        option path '/etc/firewall.user'

(Last edited by euphoria360 on 1 May 2016, 12:45)

Post #2
euphoria360
1 May 2016, 12:37

OK. I found the solution myself.
For blocking specific IP ranges (like 192.168.1.10 to 192.168.1.90):

1. Install "iptables-mod-iprange"

opkg install iptables-mod-iprange

2. in LuCi, go to Network -> Firewall -> Traffic Rules Tab.
Create a new Forward rule and choose your source and destination zone (for my case, Source=lan and Destination=WAN) and click Add & Edit.
In next page, in Extra Arguments Box, Enter this:

-m iprange --src-range 192.168.1.10-192.168.1.90

you can use several match options too. for example im using this with time schedules:

-m time --localtz --timestart 00:00 --timestop 08:00 -m iprange --src-range 192.168.1.10-192.168.1.90

The above arguments will result in blocking of all packets from 12AM till 8AM which their source IP's are in 192.168.1.10-90 range.
Description of arguments:
-m time: use time matching (needs iptables-mod-ipopt package)
--localtz: local timezone. ommiting this option will result iptables to assume times are in UTC timezone instead of your router's local timezone
--timestart: start time in hh:mm format
--timestop: stop time in hh:mm format
-m iprange: use ip range matching.
--src-range: range of source IP's. you can use --dst-range for destination IP's if needed.


After adding above rule in LuCi, following entry was added in uci firewall config file (/etc/config/firewall):

config rule
        option src 'lan'
        option dest 'wan'
        option proto 'all'
        option name 'Block-Internet'
        option target 'REJECT'
        option extra '-m time --localtz --timestart 00:00 --timestop 08:00 -m iprange --src-range 192.168.1.10-192.168.1.90'

(Last edited by euphoria360 on 1 May 2016, 12:41)

The discussion might have continued from here.