[Naovaz]

Hello Guys,

Router \ Model: Tp-link - TL-WR940ND v4
DD-wrt version: DD-WRT v3.0-r36596 std (08/14/18)

I am a bit confused about a situation...

I'm trying to prevent that all devices connected on ath0 can't access the following ports: 80, 53, 2048.

Accessing via ssh I tried the following commands (tried also to save them in firewall commands):


iptables -I INPUT -i ath0 -p tcp --dport 80 -j REJECT --reject-with tcp-reset
iptables -I INPUT -i ath0 -p tcp --dport 53 -j REJECT --reject-with tcp-reset
iptables -I INPUT -i ath0 -p tcp --dport 2048 -j REJECT --reject-with tcp-reset


But to no avail..

If I put the same commands but instead on bri1(the bridge dedicated to my Guest Wifi Network) they work, all the devices connected to the guest network on bri1 can't access any of those ports.

Why does the same command works on bri1 but not on ath0 ??
I am comfortable around iptables commands and understand the syntax, I really don't understand why it's not working.

Any suggestions ??

[Alozaros]

yep there is something weird with iptables this days the new builds on some particular routers even those restrictions do
not work, as well changing microserver port different from port 80 is impossible i guess BS cuts off some commands to save space or to lock port 80 for GUI....
can you try to change microserver port and try with different ports... i ve also tried to block ath interface but it didn't work in the past and i went to br1 that worked well, but now br1 blocking is not working on my 1043 v2 too

[Mile-Lile]

It's confusing 'cause Novaz didn't gave us enough info...

INPUT chain is used for packets destined TO local sockets and FORWARD for packets being routed through the box...

maybe output of:

[Naovaz]

First of all thnks for all of your FeddBack.
I'm going to try to addrress all of your responses:

------JXM --------

In my router, ath0 is were my wifi is configured.
In the link you posted they address the Usual, but that doesn't mean its going to allways be like that. In this situacions you need to to check or with ifconfig or in the router web GUI, what is the network you want to configure.

------Alozaros---------

Thanks for the sugestion, maybe I'm going to try some sneacky stuff putting the network in other bridge and try to filter that bridge itself. If i do so i will report with some feedback.

--------Mile-Lile-----------

I are right, when I wrote this I was in a rush and skiped alot of usefull information, sory about that.

So to better understand my network here it is:
>ifconfig
#Main Wifi Network
ath0 Link encap:Ethernet HWaddr <MAC>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3061 errors:0 dropped:0 overruns:0 frame:0
TX packets:7479 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:340808 (332.8 KiB) TX bytes:9627967 (9.1 MiB)

#Guest-Wifi Network
ath0.1 Link encap:Ethernet HWaddr <MAC>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

br0 Link encap:Ethernet HWaddr <MAC>
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6172 errors:0 dropped:125 overruns:0 frame:0
TX packets:10600 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:632014 (617.2 KiB) TX bytes:11935272 (11.3 MiB)

#Main Network Bridge
br0:0 Link encap:Ethernet HWaddr <MAC>
inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

#Guest Network Bridge
br1 Link encap:Ethernet HWaddr <MAC>
inet addr:192.168.3.1 Bcast:192.168.3.31 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth0 Link encap:Ethernet HWaddr <MAC>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3125 errors:0 dropped:10 overruns:0 frame:0
TX packets:3572 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:379314 (370.4 KiB) TX bytes:2586179 (2.4 MiB)
Interrupt:5

eth1 Link encap:Ethernet HWaddr <MAC>
inet addr:<publicIP> Bcast:<publicIP_Broad> Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8691 errors:0 dropped:3 overruns:0 frame:0
TX packets:3739 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10610509 (10.1 MiB) TX bytes:463723 (452.8 KiB)
Interrupt:4

imq0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP RUNNING NOARP MTU:1500 Metric:1
RX packets:8225 errors:0 dropped:0 overruns:0 frame:0
TX packets:8225 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:30
RX bytes:10379756 (9.8 MiB) TX bytes:10379756 (9.8 MiB)

imq1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP RUNNING NOARP MTU:16000 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:11000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:744 (744.0 B) TX bytes:744 (744.0 B)



My firewall configurations ATM are as follows:
*Using WEB GUI I saved the following script for the firewall (in the commands Section):

#Allow guest bridge access to Internet
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Block access between private and guest
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#NAT to make Internet work
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Block torrent and p2p
iptables -I FORWARD -p tcp -s 192.168.3.0/24 -m connlimit --connlimit-above 50 -j DROP
iptables -I FORWARD -p ! tcp -s 192.168.3.0/24 -m connlimit --connlimit-above 25 -j DROP
#Block guest access to router services
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport 2048 -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport 53 -j REJECT --reject-with tcp-reset
#Block ath0 access to router services
iptables -I INPUT -i ath0 -p tcp --dport 80 -j REJECT --reject-with tcp-reset
iptables -I INPUT -i ath0 -p tcp --dport 53 -j REJECT --reject-with tcp-reset
iptables -I INPUT -i ath0 -p tcp --dport 2048 -j REJECT --reject-with tcp-reset


*The cat output of the file .ipt is the following:

*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A PREROUTING -i ! eth1 -d <publicIP> -j MARK --set-mark 0x80000000/0x80000000
-A PREROUTING -j CONNMARK --save-mark
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 1.1.1.1
-A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 1.1.1.1
-A PREROUTING -p icmp -d <publicIP> -j DNAT --to-destination 192.168.2.1
-A PREROUTING -d <publicIP> -j TRIGGER --trigger-type dnat
-A POSTROUTING -s 192.168.2.1/24 -o eth1 -j SNAT --to-source <publicIP>
-A POSTROUTING -s 192.168.3.1/27 -o eth1 -j SNAT --to-source <publicIP>
-A POSTROUTING -m mark --mark 0x80000000/0x80000000 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:trigger_out - [0:0]
:lan2wan - [0:0]
:grp_1 - [0:0]
:advgrp_1 - [0:0]
:grp_2 - [0:0]
:advgrp_2 - [0:0]
:grp_3 - [0:0]
:advgrp_3 - [0:0]
:grp_4 - [0:0]
:advgrp_4 - [0:0]
:grp_5 - [0:0]
:advgrp_5 - [0:0]
:grp_6 - [0:0]
:advgrp_6 - [0:0]
:grp_7 - [0:0]
:advgrp_7 - [0:0]
:grp_8 - [0:0]
:advgrp_8 - [0:0]
:grp_9 - [0:0]
:advgrp_9 - [0:0]
:grp_10 - [0:0]
:advgrp_10 - [0:0]
:logbrute - [0:0]
-A logbrute -m recent --set --name BRUTEFORCE --rsource
-A logbrute -m recent ! --update --seconds 60 --hitcount 4 --name BRUTEFORCE --rsource -j RETURN
-A logbrute -m limit --limit 1/min --limit-burst 1 -j RETURN
-A logbrute -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p udp -i eth1 --dport 520 -j DROP
-A INPUT -p udp -i br0 --dport 520 -j DROP
-A INPUT -p udp --dport 520 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i br1 -j ACCEPT
-A INPUT -i eth1 -p icmp -j DROP
-A INPUT -p igmp -j DROP
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i br1 -p udp --dport 67 -j ACCEPT
-A INPUT -i br1 -p udp --dport 53 -j ACCEPT
-A INPUT -i br1 -p tcp --dport 53 -j ACCEPT
-A INPUT -i br1 -m state --state NEW -j DROP
-A INPUT -i br1 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o br1 -j ACCEPT
-A FORWARD -i br1 -j ACCEPT
-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br0 -o eth1 -j ACCEPT
-A FORWARD -i br1 -o eth1 -j ACCEPT
-I FORWARD -o eth1 -s 192.168.2.1/24 -p tcp --dport 1723 -j ACCEPT
-I FORWARD -o eth1 -s 192.168.2.1/24 -p gre -j ACCEPT
-A FORWARD -i eth1 -o br0 -j TRIGGER --trigger-type in

-A FORWARD -i br0 -j trigger_out

-I FORWARD -i br1 -d 192.168.2.1/255.255.255.0 -m state --state NEW -j DROP
-A FORWARD -i br0 -o br1 -m state --state NEW -j DROP
-A FORWARD -i br0 -m state --state NEW -j ACCEPT
-A FORWARD -j DROP
-I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A logreject -p tcp -j REJECT --reject-with tcp-reset
COMMIT


NOTE: I removed some perssonal info about the Devices's and IP's but you can still understand the network topology and configurations. Everytime you see something like <PublicIP> or <MAC> it meas that in the original file\page there is actualy the info there i just don't want to share them

[Per Yngve Berg]

The reason it does not work is because ath0 is bridged to br1. You have to use br1 in the rules.

You can un-bridge the interface and give it a separate sub-net. Then use ath0 in the rules.

Or assign the interface to br2 and use that in the rules.

[Wildlion]

I agree with Per Yngve Berg. the bridge is where the traffic is coming from and not ath0 (yes a little confusing) but that is why the rules are not working. But that is how bridging works.

[Naovaz]

First off all thnks for all of your feedback but I am abit confused about your responses....

Where in the code that I supplied did you see that ath0 is bridging in br1 ?

ATM my configurations are like so ( image bellow ).

To Solve my problem here's what I did:

iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br0 -p tcp --dport 53 -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br0 -p tcp --dport 2048 -j REJECT --reject-with tcp-reset
iptables -I INPUT -s 192.168.2.2 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -s 192.168.2.2 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -s 192.168.2.2 -p tcp --dport 2048 -j ACCEPT

Basically with this I am saying that all incoming traffic on br0 to those ports is blocked, unless it is coming from the 192.168.2.2 IP ( my main computer with this same static IP ).
Using the code above i am in a situation were everything is working fine and as I pretended.

This said if I were in a situation were I wanted to still retain access to those ports using any computer on the br0, I would have instead did it passing the wifi network to a new bridge (br2).

Tankh You again for all of your help