OpenDNS block ports and allow others to filter by mac

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
flako
DD-WRT Novice


Joined: 16 Mar 2018
Posts: 11
PostPosted: Tue Aug 14, 2018 19:51    Post subject: OpenDNS block ports and allow others to filter by mac Reply with quote
Hello, I am trying to configure OpenDNS in a Linksys WRT54G2 / GS2 with Frmware: DD-WRT v24-sp2 (07/08/10) micro-build 14896

Reading doc and thanks to the forum is taking shape, but I need to define more restrictions, these are:
1. block redirect / block port 53 for all the network
1.1 except some computers defined by me (this works filtering by ip, but not by mac, rule # R1 fails)
2. Block all ports except 53,80,443 for the entire network (rule # R2 rule fails)
3. except for some equipment defined by me.


The network is:
NET: 172.16.0.0/255.255.0.0
Local DNS: 172.16.0.1 where the forward does it at 208.67.222.220
Router dd-WRT LAN: 172.16.0.53
Router dd-WRT WAN: 192.168.0.2
INTERNET LAN Router: 192.168.0.1

I have defined IPtables as:

Code:
#R2 iptables -I FORWARD 3 -j DROP
#R2 iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
#R2 iptables -I FORWARD 1 -p tcp -m multiport --dports 21,80,443,53 -j ACCEPT
iptables -t nat -I PREROUTING -i br0  -s 172.16.0.0/16 -p udp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0  -s 172.16.0.0/16 -p tcp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p tcp --dport 53 -j DNAT --to 8.8.8.8
#R1 iptables -t nat -I PREROUTING -i br0 -s -m mac ! --mac-source 54:27:1E:AE:5A:FD  -p udp --dport 53 -j DNAT --to 8.8.8.8
#R1 iptables -t nat -I PREROUTING -i br0 -s -m mac ! --mac-source 54:27:1E:AE:5A:FD  -p tcp --dport 53 -j DNAT --to 8.8.8.8


I made several modifications, based on documentation, but they did not work so I left the basics. Realemte I have a problem but I do not know what else to look ...

Are they syntax errors or do I have to build some module to make it work?
Is there a tool to generate the iptabels rules in dd-wrt?
Back to top View user's profile Send private message
Sponsor
flako
DD-WRT Novice


Joined: 16 Mar 2018
Posts: 11
PostPosted: Fri Aug 17, 2018 19:56    Post subject: Reply with quote
Hello again eibgrad, (I know they are similar post ..)
Now it is working correctly with mac filtering and redirection of port 53. What I can not do is block all ports except 80 and 445, according to the manual I understand that it is:

Quote:
iptables -I FORWARD 1 -p tcp -m multiport --dports 21,80,443 -j ACCEPT
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -j DROP

---
But there must be something wrong because the only rule that works is the DROP (after applying it blocks the icmp and internet access), although from iptables -vnL FORWARD I do not see changes in the rules

Code:
iptables -vnL  FORWARD, after applying ..
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  br1    *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0
  130  7712 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
  815 63294 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0
    1    60 lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  br1    vlan1   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       tcp  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
    0     0 DROP       udp  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           udp dpt:1701
    0     0 DROP       udp  --  *      vlan1   0.0.0.0/0            0.0.0.0/0           udp dpt:500
    0     0 TRIGGER    0    --  vlan1  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    1    60 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
    1    60 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0


My current rules are:
Code:
insmod xt_mac
insmod ipt_mac
iptables -I FORWARD 3 -j DROP   
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 1 -p tcp -m multiport --dports 7,22,53,80,443 -j ACCEPT
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.0/16 -p udp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.0.0/16 -p tcp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -s 172.16.1.10 -p tcp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -m mac  --mac-source 74:c6:3b:90:e4:25  -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -i br0 -m mac  --mac-source 74:c6:3b:90:e4:25  -p tcp --dport 53 -j DNAT --to 8.8.8.8
insmod xt_mac
insmod ipt_mac


Will there be any ACCEPT in another section?
Thank you
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum