[SOLVED] iptable question

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Mon Aug 29, 2022 7:39    Post subject: Reply with quote
Per Yngve Berg wrote:
Add the allow rules to the printer etc. before the den rule to the subnet.


Does only work, if the allow rule is AFTER the deny rule Smile
Code:

#Replace with the appropriate interface of your VAP, e.g. wl0.1, wlan0.1 etc:
GUEST_IF="wl0.1"

#Net Isolation does not work on a WAP so keep it disabled, add for isolating VAP/Bridge from main network:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -d 192.168.10.0/24 -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -d 192.168.20.0/24 -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -d 192.168.30.0/24 -m state --state NEW -j REJECT

#Allow
iptables -I FORWARD -i $GUEST_IF -d 192.168.10.10 -j ACCEPT
iptables -I FORWARD -i $GUEST_IF -d 192.168.20.20 -j ACCEPT

#For isolating the WAP itself from the VAP:
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT
Sponsor
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Mon Aug 29, 2022 19:49    Post subject: Reply with quote
And another question:

How to disable internet on some devices. Only LAN should work.

The Problem, can't read out the WAN IP, because the DD-WRT becomes the Internet over LAN from Fritzbox.

Or is thete another method to read out the WAN IP?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6855
Location: Romerike, Norway

PostPosted: Mon Aug 29, 2022 20:22    Post subject: Reply with quote
BassT wrote:
Does only work, if the allow rule is AFTER the deny rule Smile


The rule must be before, otherwise the deny will be executed first.

However when you insert, the last inserted rule will be the first in the chain.
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Tue Aug 30, 2022 7:05    Post subject: Reply with quote
Per Yngve Berg wrote:
The rule must be before, otherwise the deny will be executed first.

However when you insert, the last inserted rule will be the first in the chain.


You are right, the chain looks like this:
Code:

Chain FORWARD (policy ACCEPT 49M packets, 30G bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  wl0.1  *       0.0.0.0/0            192.168.20.20       
    0     0 ACCEPT     all  --  wl0.1  *       0.0.0.0/0            192.168.10.20       
  656 46185 ACCEPT     all  --  wl0.1  *       0.0.0.0/0            192.168.10.10       
 9098  543K REJECT     all  --  wl0.1  *       0.0.0.0/0            192.168.30.0/24      state NEW reject-with icmp-port-unreachable
   91  5460 REJECT     all  --  wl0.1  *       0.0.0.0/0            192.168.20.0/24      state NEW reject-with icmp-port-unreachable
  152  9120 REJECT     all  --  wl0.1  *       0.0.0.0/0            192.168.10.0/24      state NEW reject-with icmp-port-unreachable
 8045  488K REJECT     all  --  wl0.1  *       0.0.0.0/0            192.168.21.0/24      state NEW reject-with icmp-port-unreachable


Do you also had an idea, how to deny internet access to some devices?
How to find the WAN IP, if WAN comes over LAN port?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6855
Location: Romerike, Norway

PostPosted: Tue Aug 30, 2022 15:26    Post subject: Reply with quote
The WAN: -o `get_wanface`
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Tue Aug 30, 2022 16:34    Post subject: Reply with quote
Per Yngve Berg wrote:
The WAN: -o `get_wanface`


The output is "br0" but blocking br0 will not work, because I hab a static route in the main router (FritzBox).

Also wan_ipaddr bring only 0.0.0.0 because WAN comes via LAN, ...

So, how to block WAN IP for some specific devices?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6855
Location: Romerike, Norway

PostPosted: Tue Aug 30, 2022 19:07    Post subject: Reply with quote
Use the not operator "!"

iptables -I FORWARD -s 192.168.10.10 !-d 192.168.0.0/16 -m state --state NEW -j REJECT
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Tue Aug 30, 2022 21:25    Post subject: Reply with quote
Per Yngve Berg wrote:
Use the not operator "!"

iptables -I FORWARD -s 192.168.10.10 !-d 192.168.0.0/16 -m state --state NEW -j REJECT


don't work Sad
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum