Q I needed to set up a PC so that access to and from the internet was stopped (DROP) while access to and from the local LAN was allowed (ACCEPT). I looked at a couple of useful tutorials on the web. I was successful with the following commands:
# iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT DROP # iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT # iptables -A OUTPUT s 192.168.0.0/24 -j ACCEPT
Great. However, I have two questions. First, when I reboot the settings are lost. They default back to a default of all ACCEPT and my local LAN ACCEPT rules have gone. How can I make the changes stay after a reboot? The second is a curiosity question. 192.168.0.0/24 refers to all devices on the subnet 192.168.0. I thought it would only refer to devices 0 to 24. I have checked that it does what the article says - 192.168.0.102 is covered by 192.168.0.0/24, and I am able to ping it on my LAN. I just do not understand why.
A Many distributions have a /etc/init.d/iptables script which can be used to save your iptables rules for reload at boot time. As you didn't indicate your distribution of choice, you may want to check its iptables package and see what exactly it provides for you in terms of init scripts. As a last resort you can use iptables-save to save the rules, then use iptables-restore at boot time to load them again. The /24 means that the first 24 bits of the IP are for the network, and the last 8 are for the host. When a /24 range is defined, 192.168.0.0 through to 192.168.0.255 is included. You can find information on the use of CIDR or 'slash' notation for network addressing at http://en.wikipedia.org/wiki/CIDR.