Isolate misbehaving IP on wlan

[Ancan]

Hi all,

We have a device that I for different reasons want to be able to isolate from the network from time to time, and I want to do this programatically from the bubba (which is our router/firewall). The device have IP-address 192.168.0.77 and is on the WLAN.

I've tried blackhole routing with:

route add -host 192.168.0.77 gw 127.0.0.1

But it doesn't seems to take.

Then I tried adding a drop-rule using iptables:

iptables -A INPUT -s 192.168.0.77 -j DROP

Didn't work either. meh...

Anyone got any ideas?

[Ubi]

I think you missed the "lo" on the end of your route statement.
How does this work?

Code: Select all

route add -host IP-ADDRESS reject
netstat -nr
route -n

?
(source: http://www.cyberciti.biz/tips/how-do-i- ... outes.html)

[Ancan]

Ty. I haven't been able to test yet, but will as soon as I can.

[Ancan]

Grrr, it doesn't work. I can block it from getting a address from DHCP, but once it's up and running it seems to sneak by the routing tables to the internet. Neither iptables nor route seems to affect it once it's up.

[Ubi]

so you see the traffic appear in iptraf? It almost sounds like there is another routing device on your network.

[kenned]

The INPUT chain in iptables is for traffic to the b3 itself - connecting to it's webserver or it's samba server etc.
So when you DROP packets from the offending IP in the INPUT chain it just means the b3 will not serve stuff to it.

You want to block it in the FORWARD chain instead, which is where the b3 does the NAT/routing stuff.
Something like

Code: Select all

iptables -I 1 FORWARD -s 192.168.0.77 -j DROP