1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to block IP address on router?

Discussion in 'Tomato Firmware' started by Jacky, Apr 17, 2014.

  1. Jacky

    Jacky Reformed Router Member


    I want to know if it is possible to block an IP address on a router running DDWRT or Tomato?
    I know it is possible to do URL blocking, but that option does not work for IP address.

    additional information - I am trying to stop computers from my network to be able to reach a certain IP. (block out-going IP)

    Last edited: Apr 18, 2014
  2. PetervdM

    PetervdM Network Guru Member

    you might add an ip route add blackhole statement with the ip address to the route table in the wanup script.
    ex. ip route add blackhole x.x.x.x
    Last edited: Apr 17, 2014
  3. Jacky

    Jacky Reformed Router Member

    Thank you PetervdM, for you reply. Can blackhole be used to stop computers on my network from reaching a certain IP?
    Last edited: Apr 18, 2014
  4. PetervdM

    PetervdM Network Guru Member

    entries in the routing table affect all traffic on the router. so you cannot use it to block traffic from ONE internal ip address to another external ip address. to accomplish that you will need a firewall rule like:

    iptables -I INPUT -i vlan1 -s x.x.x.x -d y.y.y.y -j DROP

    where vlan1 is your LAN(br0), x.x.x.x is your internal ip address and y.y.y.y your external ip address

    but it might be hard to lockdown that ONE ip address to THAT computer. a knowledgeable user might alter the pc's ip adress or mac address to evade your blockade, or simply use another machine, a proxy server, vpn tunnel or the neighbours wireless network.
    non-technical means may be necessary to achieve your goal.
    Last edited: Apr 18, 2014
  5. Jacky

    Jacky Reformed Router Member

  6. koitsu

    koitsu Network Guru Member

    iptables -I FORWARD -d {ipaddress} -j DROP will do what you want. I have personally verified this using iptables -I FORWARD -p icmp -d -j DROP then proceeding, from a machine on the LAN, to attempt to ping to no avail / watched the byte and packet counters for the newly-added rule increment.

Share This Page