Joined: 03 Jun 2011 Posts: 131 Location: Erie, PA., USA
Posted: Sat Dec 03, 2011 18:44 Post subject: Block guest users from accessing dd-wrt web gui
Hi all,
I'm trying to setup a d-link dir615c1 with v14929 to have a private and public wlan. The private wlan & lan is 192.168.1.x (br0) and the public wlan is 192.168.5.x (br1). They are both working and I can access both via my wireless enabled laptop. I have also edited the IPTABLES to block users on the public wlan from accessing the private wlan and also the reverse. That is also working just fine. My problem is that if I am signed into the public wlan and have verified my laptop's ip is 192.168.5.130, I can still type 192.168.1.1 and access the dd-wrt web gui from the guest wlan. I am trying to block this, so that I can only access the web gui from the private lan and guest users cannot access it. From what I have read on the wiki, I think this edit to the firewall iptables should work:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -N logdrop
iptables -F logdrop
iptables -A logdrop -j LOG
iptables -A logdrop -j DROP
iptables -I INPUT -i br1 -s 192.168.5.0/24 tcp --dport 80 -j logdrop
iptables -I INPUT -i br1 -s 192.168.5.0/24 tcp --dport 22 -j logdrop
iptables -I INPUT -i br1 -s 192.168.5.0/24 tcp --dport 23 -j logdrop
However, I can still reach 192.168.1.1 from the 192.168.5.x subnet. If I ping any other ip address 192.168.1.x from the 192.168.5.x subnet, I get no response. But I can still see the 192.168.1.1 web gui from the 192.168.5.x subnet. Please advise what I'm doing wrong. I'm surprised I can't find this on the wiki as I would think that everyone setting up a private and public wlan would want to do this.
Joined: 06 Feb 2010 Posts: 7400 Location: Little Rock
Posted: Sat Dec 03, 2011 19:48 Post subject:
When you say you have no internet access for the guest wlan (br1) how are you testing it? Logging into the guest wlan and trying to access the web? If so you may need to remove your other rules and re-try..
Joined: 03 Jun 2011 Posts: 131 Location: Erie, PA., USA
Posted: Sat Dec 03, 2011 20:09 Post subject:
Hi buddee,
I tried it both ways, rebooting the router after each change. Here is what I currently have in my iptables:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
I have internet access from my WPA2 AES protected private wlan, but no internet access from my open public wlan.
This will block all traffic from your br0 (private lan & wlan) to br1 (public wlan) and all traffic from br1 to br0. It also blocks br1 (public wlan) from accessing the web gui, so that your router stays secure, and only allows access from the private side of the network. Both private and public networks have access to the internet.