[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Blocking access to a subnet



Here is a weird iptables question for the crowd.

I have many of these devices that contact me via ppp (modem).  I am
giving them addresses based on a 10.0.5.0/24 subnet.  Sometimes the link
may be down and a application on the server will try to connect() to the
device.  I want to automatically reject those connections.  When the
links come up the server side will have the address 10.0.5.1.  The
devices start at 10.0.5.2,3,4 and continue till end.  When the app tries
to connect() he will block waiting for an ACK to the SYN pakcet he
sends.  When the ppp interface is down the packet travels out of eth0
and then out to the internet.  Now ACK will ever be returned.

If I create a rule on my firewal to reject all packets destined for
10.0.5.0/24 with a tcp-reset then the connect() will immediately fail
and the application can continue doing other stuff.  I want to be able
to do this with iptables on the server itself.  Is there a way I can say
on the server that any packet destined for 10.0.5.0/24 going out of eth0
to be rejected automatically?  These packets would be generated
internally.

If I write the code to do connect()'s in a non-blocking manner this
would be a non-issue.  The quickest solution may be provided by iptables
instead of mucking in the code itself....