The Net Gate
Our place to share information and trivia.
The Net Gate
Our place to share information and trivia.

Block a group of IP addresses from accessing the Internet

Source: reddit.com
You can verify your vlan2 by typing the “ifconfig” in the commands box and clicking “run commands” under Admin->Commands. Search through the output (hint: use your browser’s find/search feature!) for your WAN IP as shown in the top-right of the page. Verify the interface with that IP address is “vlan2” (interface names are the left column). If it is not, you’ll need to replace “vlan2” with the name of the interface bearing that address.

Now, Paste the following into the “commands” text box, then alter it to match your needs:
iptables -I FORWARD -s <camera1_ip> -o vlan2 -j DROP
iptables -I FORWARD -s <camera2_ip> -o vlan2 -j DROP
Then, click “Save Firewall” at the bottom.

Furthermore, it is worth mentioning that you needn’t use a separate rule for each camera/IP address unless you need to apply different rules to each. As /u/mlt- mentions, there are ways to include multiple source IPs with each rule. However, most DD-WRT builds that I have used do not include an iptables binary that has all the options/extensions that it can support. However, subnets are a fairly effective way to specify a range of IPs and should work in every version.
Given devices with IP addresses (assuming all are on 192.168.1.xxx): 201, 202, 203, 206

iptables -I FORWARD -s 192.168.1.200/29 -o vlan2 -j REJECT

This subnet (/29 is CIDR notation, the decimal netmask would be written as /255.255.255.248) would cover 192.168.1.200192.168.1.207 with a single rule. For filtering rules like this, you don’t need to worry about the network number, usable hosts, or broadcast address; we’re only concerned with how many addresses get hit with this mask, which is 8. This subnet starts at 192.168.1.200, which is NOT something we directly control; subnets break a network block into smaller, equally-sized pieces. Here’s a handy reference, if desired. The idea behind subnet masks is fairly straightfoward, but does require some getting used to.

  • -I : Insert at beginning of rules set of following table to ensure that the rule isn’t superseded by some previously defined rule.
  • FORWARD : Which “chain” to add the rule to. “FORWARD” applies to any traffic whose source and destination are both NOT the router itself.
  • -s <camera1_ip> : Specifies which source IP address to which the rule should be applied (eg. -s 192.168.1.240).
  • -o vlan2 : Specifies that the rule only applies to traffic that is being sent out through vlan2. Vlan2 is the WAN interface in dd-wrt, by default. You can check this through telnet/ssh by using “ifconfig”, or through the web interface as at the beginning of this post.
  • -j DROP : When the rule matches, perform the DROP action. The packet is lost in transit, never to reach its destination (the internet).

read also my post Block a device from accessing the Internet

You may also like

Belgacom b-box connections

Belgacom b-box connections These are the connections on a bbox and what they are used for: DSL (blue labeled) is used to […]

Belgacom PhoneMail™

Belgacom PhoneMail™ user guides for Belgacom fixed line PhoneMail are available here:   French version   Dutch version

Synology Surveillance Station

Synology offers a powerfull suveillance software with two free licenses to connect IP cameras. The Synology Surveillance Station software supports a large […]