Restrict Access to Web GUI Management on LAN?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
fds6e5vgvbjs45vtc4wtw
DD-WRT Novice


Joined: 01 Feb 2015
Posts: 4

PostPosted: Sun Feb 01, 2015 3:22    Post subject: Restrict Access to Web GUI Management on LAN? Reply with quote
Does anyone has and ideas on different approaches on how to restrict Access to Web GUI Management on LAN.

WAN Access Policy does a great job for restricting WAN Access but unfortunately this does not seem to apply to LAN. If it could be set to LAN then it would be 100% perfect for what I’m trying to achieve.

I’d like to restrict a number of devices on my LAN from being able to get to Web GUI Management on my router/firewall. Since this is also the default gateway these devices it cannot be altogether blocked from the IP address in question.

I’ve tried a few approaches none which worked to achieve my objective.

Any feedback/ideas appreciated.
Sponsor
fds6e5vgvbjs45vtc4wtw
DD-WRT Novice


Joined: 01 Feb 2015
Posts: 4

PostPosted: Sun Feb 01, 2015 5:40    Post subject: Reply with quote
Thanks DD-WRT Guru

Presumably 192.168.1.100 is the router in which case it would block all LAN webadmin access? Is there anyway to restrict according to the client IP/range or only allow if MAC address matches X or Y?

My goal is to still be able to access webadmin but just by a restricted IP, MAC or perhaps selected port which is only used for admin purposes.

iptables -I INPUT -p tcp -i br0 -s 192.168.1.100 --dport 80 -j REJECT --reject-with tcp-reset
fds6e5vgvbjs45vtc4wtw
DD-WRT Novice


Joined: 01 Feb 2015
Posts: 4

PostPosted: Sun Feb 01, 2015 5:58    Post subject: Reply with quote
Just a thought, if I put one of the ports of the router onto a different bridge that's only patched whenever I need to configure the router.

This way I would use your script to block bridge 0 for web admin but connect to the other bridge eg bridge 3 when needing access to web admin.

Would this be feasible?
fds6e5vgvbjs45vtc4wtw
DD-WRT Novice


Joined: 01 Feb 2015
Posts: 4

PostPosted: Tue Feb 03, 2015 9:50    Post subject: Reply with quote
Thanks for your feedback eibgrad

I was able to achieve what my goal by putting all admin access on a separate bridge & vlan. Its very restrictive but that's the idea behind it even if it is overkill.

Smile
e123enitan
DD-WRT Novice


Joined: 13 Mar 2017
Posts: 46

PostPosted: Fri Sep 08, 2017 18:40    Post subject: Reply with quote
Hi How to allow a single IP on the LAN to access the GUI, all other IP's disallowed

Thanks
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6416
Location: UK, London, just across the river..

PostPosted: Sat Sep 09, 2017 5:05    Post subject: Reply with quote
e123enitan wrote:
Hi How to allow a single IP on the LAN to access the GUI, all other IP's disallowed

Thanks


well, you can use MAC address to block/permit only

so first reject all the input traffic than specify only permitted mac address to access GUI

iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br0 -p tcp --dport 80 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

its not gonna work if you use PPPoE WAN interface...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California

PostPosted: Sat Sep 09, 2017 7:21    Post subject: Sneaky Bastage Tactics Reply with quote
Why not be sneakier and change the ddwrt http microserver port to something other than 80

login over telnet or ssh and issue these commands

nvram set http_lanport 31337 <---- Or whatever port you want
nvram commit
reboot

Then access your router via

http://routeripaddress:31337

The average users within the network wont know how to access different ports through a web browser and/or user a port scanner on the router to figure out what ports are open and do the math.

but a even more severe question arises... as to what security threat are you facing? It seams fairly strange to want to block access to the web-gui, especially as the security is fairly impenetrable if setup correctly, and you can turn off the info-site as well.

Strange


But on to more sneaky bastage options...

More interesting is after you change the default webserver port, install lighthttpd under the services menu and learn how to use it. Create a fake ddwrt login and it would throw anyone trying to access it by default off.

(easy to do with simple .htaccess methods


But for most people, a.simple port change to something only you know is enough Smile

but @Alozaros I agree with the mac address method because its highly unlikely someone is going to go through that amount of trouble to try to spoof a mac address on a internal network... It's more likely they'd just get access physically to the router lol.

For ultimate sneaky bastage mode:

Iptables mac address + changed port

if you are super paranoid...

Options:

1) Disable The WebGUI and only start it as necessary...

You could script this...

2) Create a timed (sleep + kill http daemon commands) gate window via a startup script that shuts down the webgui 5 minutes after the router is booted (or less or more depending on the window you want to be able to access the gui). This way if you want to gain access...ssh or telnet in and reboot the router...Soon as it comes up you can enter the router... do what you got to do and let it automatically kill the web gui...

There are tons of options for paranoia.

I suggest intense therapy.

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6416
Location: UK, London, just across the river..

PostPosted: Sat Sep 09, 2017 15:55    Post subject: Reply with quote
y bother to change the ports if you can do something with less commands, but yea if super paranoid pill takes effect there are tons of ugly ways to limit/permit users to access GUI Mac, IP's Encrypted Keys ect.. the question is y bother at all, if someone wants to hack your router it will be more likely CLI Razz instead of GUI...
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913


Last edited by Alozaros on Sun Sep 10, 2017 4:31; edited 1 time in total
e123enitan
DD-WRT Novice


Joined: 13 Mar 2017
Posts: 46

PostPosted: Sun Sep 10, 2017 0:49    Post subject: Reply with quote
Alozaros wrote:
e123enitan wrote:
Hi How to allow a single IP on the LAN to access the GUI, all other IP's disallowed

Thanks


well, you can use MAC address to block/permit only

so first reject all the input traffic than specify only permitted mac address to access GUI

iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br0 -p tcp --dport 80 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

its not gonna work if you use PPPoE WAN interface...



Pls excuse my ignorant, I am not a code writer, however, base on your advice I took this steps
Login navigate to administrative tab>management tab> additional Cron Jobs, then I entered this codes as below save and applied pls review and advice if I have done it in the right way, it doesnt have any impact, coz when I was able to log in to the rough from another wireless PC
Thanks

iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br0 -p tcp --dport 80 -m mac --mac-source
B8:AC:6F:39:6F:0E -j ACCEPT
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California

PostPosted: Sun Sep 10, 2017 1:15    Post subject: uhhh Reply with quote
Those codes dont go in cron they go in

ADMINISTRATION...COMMANDS... Save Firewall
reboot

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers


Last edited by sploit on Sun Sep 10, 2017 2:57; edited 1 time in total
e123enitan
DD-WRT Novice


Joined: 13 Mar 2017
Posts: 46

PostPosted: Sun Sep 10, 2017 1:18    Post subject: Re: uhhh Reply with quote
sploit wrote:
Those codes dont go in cron they go in

SERVICES...COMMANDS... Save Firewall


Thanks, I will give it Go and keep you posted

Cheers!
e123enitan
DD-WRT Novice


Joined: 13 Mar 2017
Posts: 46

PostPosted: Sun Sep 10, 2017 1:25    Post subject: Re: uhhh Reply with quote
e123enitan wrote:
sploit wrote:
Those codes dont go in cron they go in

SERVICES...COMMANDS... Save Firewall


Thanks, I will give it Go and keep you posted

Cheers!


Pls under which tab do I navigate to add the code, I can't seem to locate the section to input the command codes

Thanks
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California

PostPosted: Sun Sep 10, 2017 2:57    Post subject: Ooops Sorry Reply with quote
Oopps Sorry... My brain was somewhere else...
ADMINISTRATION TAB
then COMMAND tab.
Them paste the code into the box and press SAVE FIREWALL.

Then reboot the router

_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
e123enitan
DD-WRT Novice


Joined: 13 Mar 2017
Posts: 46

PostPosted: Sun Sep 10, 2017 3:43    Post subject: Re: Ooops Sorry Reply with quote
sploit wrote:
Oopps Sorry... My brain was somewhere else...
ADMINISTRATION TAB
then COMMAND tab.
Them paste the code into the box and press SAVE FIREWALL.

Then reboot the router



Thanks it works like cham, sincerely appreciate your time/knowledge.

May I bothered you with another issue, similar to the same access restriction.
I have say five devices on my LAN, connected through both wireless and ethernet, I have all these MAC addresses set in DHCP reservertion, is it possible to allow for only these five MAC's only in my LAN/WAN, where any devices with MAC not in the DHCP table will rejected.
My reason for doing this is mainly to prevent people in my house using the ethernet RJ 45 wall sucket to bypass restriction set in the wireless to gain access to my LAN server.

Thanks for your support.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6416
Location: UK, London, just across the river..

PostPosted: Sun Sep 10, 2017 4:43    Post subject: Re: Ooops Sorry Reply with quote
e123enitan wrote:
sploit wrote:
Oopps Sorry... My brain was somewhere else...
ADMINISTRATION TAB
then COMMAND tab.
Them paste the code into the box and press SAVE FIREWALL.

Then reboot the router



Thanks it works like cham, sincerely appreciate your time/knowledge.

May I bothered you with another issue, similar to the same access restriction.
I have say five devices on my LAN, connected through both wireless and ethernet, I have all these MAC addresses set in DHCP reservertion, is it possible to allow for only these five MAC's only in my LAN/WAN, where any devices with MAC not in the DHCP table will rejected.
My reason for doing this is mainly to prevent people in my house using the ethernet RJ 45 wall sucket to bypass restriction set in the wireless to gain access to my LAN server.

Thanks for your support.


hmm as you already have a static IP specified you can limit the number of DHCP given IP to that limit you want lest say you have 5 devices, 5 static IP's so set the number of DHCP to 5 so no more new IP's will be allowed to the system... or you can use IP tables rules to specify witch IP will be able to gain internet/connect (it doesn't matter LAN or WiFi)
and those access restrictions on GUI are not familiar to me on some builds there are reports that they are not working and i ve never used them to be honest...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum