iptables firewall help

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 15:37    Post subject: iptables firewall help Reply with quote
Hello.
At first, sorry for my English.
Need help.

Hardware: TP-Link Archer C8 rev.1

Software: DD-wrt V3.0-r37305 (10/10/2018)

Mission: Need 4 isolated networks.

Last settings:

[img]1.png[/img]
[img]2.png[/img]
[img]3.png[/img]
Sponsor
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 15:42    Post subject: Reply with quote
continued
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 15:44    Post subject: Reply with quote
continue
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 15:46    Post subject: Reply with quote
continue
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 15:47    Post subject: Reply with quote
continue
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 15:48    Post subject: Reply with quote
Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br3 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br3 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -s br0 -d br1 -j ACCEPT
iptables -I FORWARD -s br0 -d br2 -j ACCEPT
iptables -I FORWARD -s br0 -d br3 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br3 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br3 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br3 -p tcp --dport 53 -j ACCEPT



As a result no one device can connect to the networks.
[/quote]
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 16:23    Post subject: Reply with quote
Thank you.
What does this mean:

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 16:43    Post subject: Reply with quote
All have done by instruction. Cant connect devices to any network.
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 17:29    Post subject: Reply with quote
Please check the iptables configuration for above setting. Say me, where are the mistakes, please.

Code:
iptables -I INPUT -i br1 -j REJECT
iptables -I INPUT -i br2 -j REJECT
iptables -I INPUT -i br3 -j REJECT
iptables -I INPUT -p icmp -i br1 -j ACCEPT
iptables -I INPUT -p icmp -i br2 -j ACCEPT
iptables -I INPUT -p icmp -i br3 -j ACCEPT
iptables -I INPUT -p udp  -i br1 --dport 67 -j ACCEPT
iptables -I INPUT -p udp  -i br2 --dport 67 -j ACCEPT
iptables -I INPUT -p udp  -i br3 --dport 67 -j ACCEPT
iptables -I INPUT -p tcp  -i br1 --dport 53  -j ACCEPT
iptables -I INPUT -p udp  -i br1 --dport 53  -j ACCEPT
iptables -I INPUT -p tcp  -i br2 --dport 53  -j ACCEPT
iptables -I INPUT -p udp  -i br2 --dport 53  -j ACCEPT
iptables -I INPUT -p tcp  -i br3 --dport 53  -j ACCEPT
iptables -I INPUT -p udp  -i br3 --dport 53  -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br0 -p tcp -d 192.168.1.100 --dport 9100 \
    -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o br3 -m state --state NEW -j REJECT
iptables -t nat -I POSTROUTING -s "192.168.3.0/24" -o "nvram get wan_iface" -j MASQUERADE
iptables -t nat -I POSTROUTING -s "192.168.4.0/24" -o "nvram get wan_iface" -j MASQUERADE
iptables -t nat -I POSTROUTING -s "192.168.5.0/24" -o "nvram get wan_iface" -j MASQUERADE
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5932
Location: Netherlands

PostPosted: Wed May 22, 2019 17:46    Post subject: Reply with quote
I have not checked all your rules (it is dinner time)
but the NAT rules are wrong

A proper NAT rule is:
Code:
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -o $(nvram get wan_iface) -j MASQUERADE

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 19:36    Post subject: Reply with quote
Thak you very much.

Please, help me with this:

Source: https://wiki.dd-wrt.com/wiki/index.php/Multiple_WLANs

1.
Quote:
Enable NAT on the WAN port to correct a bug in builds over 17000 (doesn't make sense on WAP's)

Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`



2.
Quote:

Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)

Code:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[/code]

3.
Quote:
Enable NAT on the WAN port to correct a bug in builds over 17000 (doesn't make sense on WAP's)
Code:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`



4.
Quote:
Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)

Code:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


5.

Quote:
Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)

Code:
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP


And this:
Source: https://pastebin.com/r4u62P0B

1.
Quote:
# nat guest network over WAN (internet)
Code:
iptables -t nat -I POSTROUTING -s $GUEST_NET -o $WAN_IF -j
MASQUERADE


In the summ, I can`t connnect with any device to any VIRTUAL interface.

I have test many variables of iptable rules, but n result can`t connect to networks.

Some information: router has 2 physical interfaces, 2,4 GHz and 5Ghz. If I connect to physical interfaces, all is OK. I can isolate 2 physical intefaces with iptables, but with virtual interfaces DON`T WORK.

Thank you.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum