Iptables restrictions only works when no WAN access

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
ddacct3
DD-WRT Novice


Joined: 29 Mar 2008
Posts: 18
PostPosted: Fri Oct 19, 2018 1:19    Post subject: Iptables restrictions only works when no WAN access Reply with quote
On Kong 36070, in order to restrict admin access from another subnet, I tried these 2 variations:

iptables -A INPUT -p tcp --dport 80 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
(Here, I only wanted 192.168.1.100 to get admin access)

and also this:

iptables -A INPUT -p tcp --dport 80 -s 192.168.1.101 -j DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
(Here, I wanted everybody except 192.168.1.101 to get admin access)

When the DD-WRT router had WAN access disconnected, this seemed to work as I thought it would, but as soon as the DD-WRT's WAN access was reestablished and had Internet access, the device that should not have been able to access the admin page was able to do so.

Any idea why?
Back to top View user's profile Send private message
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6435
Location: UK, London, just across the river..
PostPosted: Fri Oct 19, 2018 5:32    Post subject: Reply with quote
yep those stop working for some odd reason also you
cant even change microserver port (GUI) to something else
its beeng like that the last 7-8 builds or more
the other reason is if you are using a modem or pppoe
as modem uses port 80 to communicate with router...

try to address br0 instead if they work at all
iptables -I INPUT -i br0 -p tcp --dport 8083 -j DROP
iptables -I INPUT -i br0 -p tcp -s 192.168.1.101 --dport 8083 -j ACCEPT

you can try with MAC address instead but those are not working on my other routers with BS builds too

iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT
iptables -I INPUT -i br0 -p tcp --dport 80 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Back to top View user's profile Send private message
ddacct3
DD-WRT Novice


Joined: 29 Mar 2008
Posts: 18
PostPosted: Mon Oct 29, 2018 0:58    Post subject: Reply with quote
I was able to get it working.

1. Turns out -I was needed instead of -A. I think since the commands were being appended to the end, some other default rules were triggered before it ever got to my rules.

2. In -I, since they are being inserted, I needed to reverse the order so that the rule being inserted last was the one being processed first

Thanks for the tip. I was looking at your version of the rules and wondered what the difference between -I and -A was, and that happened to be the answer to my problem.

However, I do need to point out that the following code is a security risk:

iptables -I INPUT -p tcp --dport 80 -s 192.168.1.101 -j DROP
iptables -I INPUT -p tcp --dport 80 -j ACCEPT

The second line exposes that port to the WAN and anybody could access it, which may not be what you are looking for if you just want anybody from the LAN to access it.

So it should be something like:
iptables -I INPUT -p tcp --dport 80 -s 192.168.1.0/24 -d 192.168.1.1 -j ACCEPT
Back to top View user's profile Send private message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6435
Location: UK, London, just across the river..
PostPosted: Mon Oct 29, 2018 16:47    Post subject: Reply with quote
in DDWRT INPUT chain is the local LAN
FORWARD is the WAN

also this is not my suggestion too
iptables -I INPUT -p tcp --dport 80 -s 192.168.1.101 -j DROP
iptables -I INPUT -p tcp --dport 80 -j ACCEPT

look at my post above !!!!

this is security risk
iptables -I FORWARD -p tcp --dport 80 -j ACCEPT
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum