How to block IP address on router?

Discussion in 'Tomato Firmware' started by Jacky, Apr 17, 2014.

  1. Jacky

    Jacky


    I want to know if it is possible to block an IP address on a router running DDWRT or Tomato?
    I know it is possible to do URL blocking, but that option does not work for IP address.

    additional information - I am trying to stop computers from my network to be able to reach a certain IP. (block out-going IP)

    
  2. PetervdM

    PetervdM

    you might add an ip route add blackhole statement with the ip address to the route table in the wanup script.
    ex. ip route add blackhole x.x.x.x
    
  3. Jacky

    Jacky

    Thank you PetervdM, for you reply. Can blackhole be used to stop computers on my network from reaching a certain IP?
    
  4. PetervdM

    PetervdM

    entries in the routing table affect all traffic on the router. so you cannot use it to block traffic from ONE internal ip address to another external ip address. to accomplish that you will need a firewall rule like:

    iptables -I INPUT -i vlan1 -s x.x.x.x -d y.y.y.y -j DROP

    where vlan1 is your LAN(br0), x.x.x.x is your internal ip address and y.y.y.y your external ip address

    but it might be hard to lockdown that ONE ip address to THAT computer. a knowledgeable user might alter the pc's ip adress or mac address to evade your blockade, or simply use another machine, a proxy server, vpn tunnel or the neighbours wireless network.
    non-technical means may be necessary to achieve your goal.
    
  5. Jacky

    Jacky

  6. koitsu

    koitsu

    iptables -I FORWARD -d {ipaddress} -j DROP will do what you want. I have personally verified this using iptables -I FORWARD -p icmp -d -j DROP then proceeding, from a machine on the LAN, to attempt to ping to no avail / watched the byte and packet counters for the newly-added rule increment.
