Prohibiting an IP range from going out to the Internet in Red Hat/CentOS Linux

Crash Override asked:

I have a VPN, and my server frequently sends data to a private IP address that routes over the VPN. When the OpenVPN gets established or dies, it enables/disables the routes.

I want to null-route that private IP range from going out over the main Internet interface (eth0). Is there an easy way to do that without interfering with the route commands coming from the VPN software?

Iptables won’t do it. I tried

iptables -A OUTPUT -i eth0 -p tcp -d 192.168.0.0/16 -j REJECT

But iptables does not work when specifying an interface in the output chain.

Anyone know if there is a way to add a dummy route onto a specific interface (eth0) only, without interfering with other interfaces that may be using that route?

Ps- I am aware 192.168.0.0/16 is not INTERNET routeable, but for security reasons, want to ensure no data gets out even if another local server or network device starts listening on the private subnet.

My answer:


Your interface specification in the iptables rule is backward.

You specified:

iptables -A OUTPUT -i eth0 -p tcp -d 192.168.0.0/16 -j REJECT

Using -i matches traffic that enters the system on the named interface.

Instead, you want to match traffic leaving the system on the named interface, which is done with -o.

iptables -A OUTPUT -o eth0 -p tcp -d 192.168.0.0/16 -j REJECT

(And you probably don’t want -p tcp in there, otherwise non-TCP traffic might pass.)


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.