iptables via command shell in DD-WRT v24-sp2

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
jnun
DD-WRT Novice


Joined: 13 Dec 2010
Posts: 10

PostPosted: Fri Dec 17, 2010 5:40    Post subject: iptables via command shell in DD-WRT v24-sp2 Reply with quote
Hello,

I was wondering if using the command shell under Administration -> Commands to enter iptable information works or not. I entered the following from following this guide http://www.dd-wrt.com/wiki/index.php/Iptables#Allow_HTTP_traffic_only_to_specific_domain.28s.29 to try and allow traffic from 192.168.1.254 to be able to access 10.0.0.2 and deny hosts 192.168.1.0 through 192.168.1.252. However, it isn't working and I'm not sure if it is a mistake I made in the iptables command or the way I'm trying to implement it.

iptables -I FORWARD -s 192.168.1.254 -d 10.0.0.2 -j ACCEPT
iptables -I FORWARD -s 192.168.1.0-192.168.1.252 -d 10.0.0.2 -j DROP

Thank you for your assistance.
Sponsor
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Fri Dec 17, 2010 6:08    Post subject: Reply with quote
The syntax is correctm but you have to do 2 things different.

1. If you insert rules in the chain, the rules will end up in reverse order. So, you have to start with the DROP rule and then the ACCEPT.

2. You should put them in 'Save Firewall'. This way they will survive a reload of the firewall which happens often.

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
jnun
DD-WRT Novice


Joined: 13 Dec 2010
Posts: 10

PostPosted: Fri Dec 17, 2010 6:35    Post subject: Reply with quote
Thank you for your reply and the helpful information. However, I can still ping 10.0.0.x from a 192.168.1.x computer that is in the DROP.


iptables -I FORWARD -s 192.168.1.0-192.168.1.252 -d 10.0.0.2 -j DROP
iptables -I FORWARD -s 192.168.1.254 -d 10.0.0.2 -j ACCEPT

I have also Saved Firewall but I can still get through. I have a Cisco Catalyst 2950 in between the computers on 10.0.0.x and the computers on the router at 192.168.1.x. I have a trunk setup to allow VLAN 2 (the VLAN the 10.0.0.xs are on) to communicate with VLAN 1. On the other side (10.0.0.x), I can only ping 192.168.1.254 but nothing else. I want to make both sides not be able to talk to each other and only see the router.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Dec 17, 2010 20:45    Post subject: Reply with quote
jnun wrote:
iptables -I FORWARD -s 192.168.1.0-192.168.1.252 -d 10.0.0.2 -j DROP
iptables -I FORWARD -s 192.168.1.254 -d 10.0.0.2 -j ACCEPT

This is not correct syntax, -s and -d require an IP or IP/netmask.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
jnun
DD-WRT Novice


Joined: 13 Dec 2010
Posts: 10

PostPosted: Fri Dec 17, 2010 20:59    Post subject: Reply with quote
phuzi0n wrote:
This is not correct syntax, -s and -d require an IP or IP/netmask.


I originally had 192.168.1.0-192.168.1.252/255.255.255.0. and it did not work. Are you saying that you cannot do an IP range in the command and only one IP address?
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Fri Dec 17, 2010 21:07    Post subject: Reply with quote
I did a very quick and dirty check this morning before going to work, but Phuzion's correct.
Somehow the rule was inserted, but it got malformed.
That range was replaced by my WAN-IP (how strange?)

But why don't you do it like this?

Code:
iptables -I FORWARD -s 192.168.1.0/24 -d 10.0.0.2 -j DROP
iptables -I FORWARD -s 192.168.1.254 -d 10.0.0.2 -j ACCEPT

It seems you really want this:
Code:
iptables -I FORWARD -s 192.168.1.0/24 -d 10.0.0.2 -j DROP
iptables -I FORWARD -s 192.168.1.252/30 -d 10.0.0.2 -j ACCEPT

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
jnun
DD-WRT Novice


Joined: 13 Dec 2010
Posts: 10

PostPosted: Fri Dec 17, 2010 21:33    Post subject: Reply with quote
Its working now. Thanks a bunch you two Very Happy.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum