iptables firewall help

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 15:37    Post subject: iptables firewall help Reply with quote
Hello.
At first, sorry for my English.
Need help.

Hardware: TP-Link Archer C8 rev.1

Software: DD-wrt V3.0-r37305 (10/10/2018)

Mission: Need 4 isolated networks.

Last settings:

[img]1.png[/img]
[img]2.png[/img]
[img]3.png[/img]
Sponsor
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 15:42    Post subject: Reply with quote
continued
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 15:44    Post subject: Reply with quote
continue
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 15:46    Post subject: Reply with quote
continue
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 15:47    Post subject: Reply with quote
continue
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 15:48    Post subject: Reply with quote
Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br3 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br3 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -s br0 -d br1 -j ACCEPT
iptables -I FORWARD -s br0 -d br2 -j ACCEPT
iptables -I FORWARD -s br0 -d br3 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br3 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br3 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br3 -p tcp --dport 53 -j ACCEPT



As a result no one device can connect to the networks.
[/quote]
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed May 22, 2019 15:50    Post subject: Reply with quote
Perhaps the following will help.

https://pastebin.com/r4u62P0B

It only shows how to firewall one guest network (br1), but could easily be expanded to any number of additional networks/bridges by following the same pattern.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 16:23    Post subject: Reply with quote
Thank you.
What does this mean:

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 16:43    Post subject: Reply with quote
All have done by instruction. Cant connect devices to any network.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed May 22, 2019 17:03    Post subject: Reply with quote
Alteros wrote:
Thank you.
What does this mean:

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"


Determing the WAN's network interface name is sometimes difficult. Most ppl use one of the following:

Code:
nvram get wan_iface


or

Code:
get_wanface


But that doesn't always work. There are times when that won't return the right value (e.g., client mode, or pppoe).

So that line in the script examines the actual routing table, locates the line w/ the default gateway, and grabs the network interface name at the end of the line. Now you get the WAN's correct network interface name all the time (hopefully).

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 17:29    Post subject: Reply with quote
Please check the iptables configuration for above setting. Say me, where are the mistakes, please.

Code:
iptables -I INPUT -i br1 -j REJECT
iptables -I INPUT -i br2 -j REJECT
iptables -I INPUT -i br3 -j REJECT
iptables -I INPUT -p icmp -i br1 -j ACCEPT
iptables -I INPUT -p icmp -i br2 -j ACCEPT
iptables -I INPUT -p icmp -i br3 -j ACCEPT
iptables -I INPUT -p udp  -i br1 --dport 67 -j ACCEPT
iptables -I INPUT -p udp  -i br2 --dport 67 -j ACCEPT
iptables -I INPUT -p udp  -i br3 --dport 67 -j ACCEPT
iptables -I INPUT -p tcp  -i br1 --dport 53  -j ACCEPT
iptables -I INPUT -p udp  -i br1 --dport 53  -j ACCEPT
iptables -I INPUT -p tcp  -i br2 --dport 53  -j ACCEPT
iptables -I INPUT -p udp  -i br2 --dport 53  -j ACCEPT
iptables -I INPUT -p tcp  -i br3 --dport 53  -j ACCEPT
iptables -I INPUT -p udp  -i br3 --dport 53  -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br0 -p tcp -d 192.168.1.100 --dport 9100 \
    -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o br3 -m state --state NEW -j REJECT
iptables -t nat -I POSTROUTING -s "192.168.3.0/24" -o "nvram get wan_iface" -j MASQUERADE
iptables -t nat -I POSTROUTING -s "192.168.4.0/24" -o "nvram get wan_iface" -j MASQUERADE
iptables -t nat -I POSTROUTING -s "192.168.5.0/24" -o "nvram get wan_iface" -j MASQUERADE
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3654
Location: Netherlands

PostPosted: Wed May 22, 2019 17:46    Post subject: Reply with quote
I have not checked all your rules (it is dinner time)
but the NAT rules are wrong

A proper NAT rule is:
Code:
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -o $(nvram get wan_iface) -j MASQUERADE

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed May 22, 2019 18:41    Post subject: Reply with quote
TIP:

Because there are so many bridges, and thus so many permutations, you're better off in this case to use the iptables wildcard (+) and block everything by default, then define your exceptions.

Code:
iptables -I FORWARD -i br+ -o br+ -j REJECT
iptables -I FORWARD -i -br0 -o br1 -j ACCEPT
...


The result will be far less code, less complexity, and let chance of errors.

For internal firewall'ing purposes, I recommend the use of REJECT rather than DROP. Both will work, but REJECT sends a message to the client telling them their request has been blocked. And now the client doesn't have to sit there waiting for the application to timeout before realizing what's happened. It's just more pleasant for your own users. Leave DROP for the internet side of the WAN, where you *want* to make it a pain for someone to mess w/ the router.

Also, make sure you test the script from a shell (telnet/ssh) and NOT just plug the script into the firewall script and reboot. Because if you do, and you make a serious mistake, you *might* lock yourself out of the router and have to reset it! At least if you test from the shell, and make a mistake, you can reboot and start over.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Alteros
DD-WRT Novice


Joined: 22 May 2019
Posts: 10

PostPosted: Wed May 22, 2019 19:36    Post subject: Reply with quote
Thak you very much.

Please, help me with this:

Source: https://wiki.dd-wrt.com/wiki/index.php/Multiple_WLANs

1.
Quote:
Enable NAT on the WAN port to correct a bug in builds over 17000 (doesn't make sense on WAP's)

Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`



2.
Quote:

Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)

Code:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[/code]

3.
Quote:
Enable NAT on the WAN port to correct a bug in builds over 17000 (doesn't make sense on WAP's)
Code:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`



4.
Quote:
Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)

Code:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


5.

Quote:
Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)

Code:
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP


And this:
Source: https://pastebin.com/r4u62P0B

1.
Quote:
# nat guest network over WAN (internet)
Code:
iptables -t nat -I POSTROUTING -s $GUEST_NET -o $WAN_IF -j
MASQUERADE


In the summ, I can`t connnect with any device to any VIRTUAL interface.

I have test many variables of iptable rules, but n result can`t connect to networks.

Some information: router has 2 physical interfaces, 2,4 GHz and 5Ghz. If I connect to physical interfaces, all is OK. I can isolate 2 physical intefaces with iptables, but with virtual interfaces DON`T WORK.

Thank you.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum