Iptables to reject all INPUT and OUTPUT except specific hosts


#1

Transfered from Linux Config Disqus comments:

Question:

I have created a zone in my lan, where i have given 11 servers a dns address. But someone has connected 3 more(these three have only IP, not dns address), and i dont want to remove all servers to find out which ones it is.
Is there a way to make sure that only the servers with a dns-address provided by me is granted access to the internet? (block input and output)
Answer:
Reject all outgoing traffic from source IP address different than 222.111.111.222


iptables -A OUTPUT -t filter ! -s 222.111.111.222 -j REJECT

Reject all incoming traffic to destination address different than 222.111.111.222


iptables -A INPUT -t filter ! -d 222.111.111.222 -j REJECT

Note, instead of an IP address 222.111.111.222 you can supply hostname such as pc1 or pc2 however, when applying this rule, iptables will automatically resolve this into an IP address and IP address will by used instead.

Furthermore, you can supply a range of IP addresses in a single IP tables rule. However, I do not know whether your hosts are arranged in some systematic way that you can apply this rule in your scenario.


#2