Author
Message
Alteros DD-WRT Novice Joined: 22 May 2019 Posts: 10
Posted: Wed May 22, 2019 15:37 Post subject: iptables firewall help
Hello.
At first, sorry for my English.
Need help.
Hardware: TP-Link Archer C8 rev.1
Software: DD-wrt V3.0-r37305 (10/10/2018)
Mission: Need 4 isolated networks.
Last settings:
[img]1.png[/img]
[img]2.png[/img]
[img]3.png[/img]
Back to top
Sponsor
Alteros DD-WRT Novice Joined: 22 May 2019 Posts: 10
Posted: Wed May 22, 2019 15:42 Post subject:
continued
Back to top
Alteros DD-WRT Novice Joined: 22 May 2019 Posts: 10
Posted: Wed May 22, 2019 15:44 Post subject:
continue
Back to top
Alteros DD-WRT Novice Joined: 22 May 2019 Posts: 10
Posted: Wed May 22, 2019 15:46 Post subject:
continue
Back to top
Alteros DD-WRT Novice Joined: 22 May 2019 Posts: 10
Posted: Wed May 22, 2019 15:47 Post subject:
continue
Back to top
Alteros DD-WRT Novice Joined: 22 May 2019 Posts: 10
Posted: Wed May 22, 2019 15:48 Post subject:
Code: iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br3 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br3 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -s br0 -d br1 -j ACCEPT
iptables -I FORWARD -s br0 -d br2 -j ACCEPT
iptables -I FORWARD -s br0 -d br3 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br3 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br3 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br3 -p tcp --dport 53 -j ACCEPT
As a result no one device can connect to the networks.
[/quote]
Back to top
Alteros DD-WRT Novice Joined: 22 May 2019 Posts: 10
Posted: Wed May 22, 2019 16:23 Post subject:
Thank you.
What does this mean:
Code: WAN_IF="$(ip route | awk '/^default/{print $NF}')"
Back to top
Alteros DD-WRT Novice Joined: 22 May 2019 Posts: 10
Posted: Wed May 22, 2019 16:43 Post subject:
All have done by instruction. Cant connect devices to any network.
Back to top
Alteros DD-WRT Novice Joined: 22 May 2019 Posts: 10
Posted: Wed May 22, 2019 17:29 Post subject:
Please check the iptables configuration for above setting. Say me, where are the mistakes, please.
Code: iptables -I INPUT -i br1 -j REJECT
iptables -I INPUT -i br2 -j REJECT
iptables -I INPUT -i br3 -j REJECT
iptables -I INPUT -p icmp -i br1 -j ACCEPT
iptables -I INPUT -p icmp -i br2 -j ACCEPT
iptables -I INPUT -p icmp -i br3 -j ACCEPT
iptables -I INPUT -p udp -i br1 --dport 67 -j ACCEPT
iptables -I INPUT -p udp -i br2 --dport 67 -j ACCEPT
iptables -I INPUT -p udp -i br3 --dport 67 -j ACCEPT
iptables -I INPUT -p tcp -i br1 --dport 53 -j ACCEPT
iptables -I INPUT -p udp -i br1 --dport 53 -j ACCEPT
iptables -I INPUT -p tcp -i br2 --dport 53 -j ACCEPT
iptables -I INPUT -p udp -i br2 --dport 53 -j ACCEPT
iptables -I INPUT -p tcp -i br3 --dport 53 -j ACCEPT
iptables -I INPUT -p udp -i br3 --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br0 -p tcp -d 192.168.1.100 --dport 9100 \
-m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o br3 -m state --state NEW -j REJECT
iptables -t nat -I POSTROUTING -s "192.168.3.0/24" -o "nvram get wan_iface" -j MASQUERADE
iptables -t nat -I POSTROUTING -s "192.168.4.0/24" -o "nvram get wan_iface" -j MASQUERADE
iptables -t nat -I POSTROUTING -s "192.168.5.0/24" -o "nvram get wan_iface" -j MASQUERADE
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Back to top
Alteros DD-WRT Novice Joined: 22 May 2019 Posts: 10
Posted: Wed May 22, 2019 19:36 Post subject:
Thak you very much.
Please, help me with this:
Source: https://wiki.dd-wrt.com/wiki/index.php/Multiple_WLANs
1.
Quote: Enable NAT on the WAN port to correct a bug in builds over 17000 (doesn't make sense on WAP's)
Code: iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
2.
Quote:
Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
Code: iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[/code]
3.
Quote: Enable NAT on the WAN port to correct a bug in builds over 17000 (doesn't make sense on WAP's)
Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
4.
Quote: Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
Code: iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
5.
Quote: Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)
Code: iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
And this:
Source: https://pastebin.com/r4u62P0B
1.
Quote: # nat guest network over WAN (internet)
Code: iptables -t nat -I POSTROUTING -s $GUEST_NET -o $WAN_IF -j
MASQUERADE
In the summ, I can`t connnect with any device to any VIRTUAL interface.
I have test many variables of iptable rules, but n result can`t connect to networks.
Some information: router has 2 physical interfaces, 2,4 GHz and 5Ghz. If I connect to physical interfaces, all is OK. I can isolate 2 physical intefaces with iptables, but with virtual interfaces DON`T WORK.
Thank you.
Back to top