[JMMazza53]

Hi all,
I'm trying to setup a d-link dir615c1 with v14929 to have a private and public wlan. The private wlan & lan is 192.168.1.x (br0) and the public wlan is 192.168.5.x (br1). They are both working and I can access both via my wireless enabled laptop. I have also edited the IPTABLES to block users on the public wlan from accessing the private wlan and also the reverse. That is also working just fine. My problem is that if I am signed into the public wlan and have verified my laptop's ip is 192.168.5.130, I can still type 192.168.1.1 and access the dd-wrt web gui from the guest wlan. I am trying to block this, so that I can only access the web gui from the private lan and guest users cannot access it. From what I have read on the wiki, I think this edit to the firewall iptables should work:

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -N logdrop
iptables -F logdrop
iptables -A logdrop -j LOG
iptables -A logdrop -j DROP
iptables -I INPUT -i br1 -s 192.168.5.0/24 tcp --dport 80 -j logdrop
iptables -I INPUT -i br1 -s 192.168.5.0/24 tcp --dport 22 -j logdrop
iptables -I INPUT -i br1 -s 192.168.5.0/24 tcp --dport 23 -j logdrop

However, I can still reach 192.168.1.1 from the 192.168.5.x subnet. If I ping any other ip address 192.168.1.x from the 192.168.5.x subnet, I get no response. But I can still see the 192.168.1.1 web gui from the 192.168.5.x subnet. Please advise what I'm doing wrong. I'm surprised I can't find this on the wiki as I would think that everyone setting up a private and public wlan would want to do this.

Thanks!

John

[buddee]

Have you tried this rule? Which will block access to the router's local sockets.

iptables -I INPUT -i br1 -m state --state NEW -j DROP

[JMMazza53]

Hi buddee,

Thanks for the quick reply. When I add your line to my firewall iptables:

[buddee]

When you say you have no internet access for the guest wlan (br1) how are you testing it? Logging into the guest wlan and trying to access the web? If so you may need to remove your other rules and re-try..

Remove these:

iptables -I INPUT -i br1 -s 192.168.5.0/24 tcp --dport 80 -j logdrop
iptables -I INPUT -i br1 -s 192.168.5.0/24 tcp --dport 22 -j logdrop
iptables -I INPUT -i br1 -s 192.168.5.0/24 tcp --dport 23 -j logdrop

Then add mine in place and then re-try and see if that gives success. My rule is going to block all of those services from the guest wlan, so you shouldn't need those other 3 rules.

[JMMazza53]

Hi buddee,

I tried it both ways, rebooting the router after each change. Here is what I currently have in my iptables:

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP

I have internet access from my WPA2 AES protected private wlan, but no internet access from my open public wlan.

Thanks for your quick responses! Any other ideas?

John

[JMMazza53]

Hi buddee and all,

I finally found it and figured it out!

Put this into your firewall iptables:

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

This will block all traffic from your br0 (private lan & wlan) to br1 (public wlan) and all traffic from br1 to br0. It also blocks br1 (public wlan) from accessing the web gui, so that your router stays secure, and only allows access from the private side of the network. Both private and public networks have access to the internet.

Thanks buddee for your excellent input.

John

[buddee]

Most excellent! I was out earlier, but was about to start breaking it down rule by rule, but i see you figured that out and it works, good to know for future uses.

[fyi2000]

Iptables command - DD-WRT Wiki - Reject clients from accessing the router's configuration