[lebphi]

hi,

i'm a beginner with dd-wrt. I'd like to add a lot of iptables rules. It is possible to put them in a file rather than entering them by the web interface ?

thanks you

[egc]

Just copy them in Administration/commands and save firewall.

But if you have external storage you can set the rules in a script and execute this script from the same spot as described above.

DDWRT normally takes care of necessary firewall rules. The most common mistake is over configuration

[lebphi]

thanks you

i want to add rules for bloking all port except a few ones (80, 443, ..) for every one except for my personnal computer (specific mac).

so i've used the admin/commands as you said and it works fine.

i've added :

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -I FORWARD -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp --dport 443 -j ACCEPT
iptables -I FORWARD -p tcp --dport 993 -j ACCEPT
iptables -I FORWARD -p tcp --dport 587 -j ACCEPT
iptables -I FORWARD -p tcp --dport 465 -j ACCEPT
iptables -I FORWARD -m mac --mac-source 28:F1:xx:1E:42:xx-j ACCEPT

now i would like to block the acces at my box local network 192.168.1.0/24 for every one except for me (mac address) but it doesn't work, i block all even for myself.

i've added :
iptables -I FORWARD -s 192.168.1.0/24 -j DROP

is the problem come from my wan address is in the blocked range .

my wan status is ip=192.168.1.69 - gateway = 192.168.1.1

my lan status is ip=192.168.77.1 with dhcp server

[egc]

To block all access to a router higher up try:

[lebphi]

the rules are executed in reverse from down to top ?

[egc]

[Alozaros]

iptables -I FORWARD ! -s 192.168.1.0/24 -j REJECT

try it, if this is in the correct format

! - mean's all reject, but not -s 192.168.1.0/24

if this is the correct spelling, i cant test it right now but you can try

[lebphi]

i've tried a lot of combination.
I've no problem for blocking ports but but i can't block local address 192.168.1.0/24

my last rules are :
iptables -A FORWARD -m mac --mac-source D0:16:B4:16:2A:xx -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j DROP
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -p tcp --dport 587 -j ACCEPT
iptables -A FORWARD -p tcp --dport 465 -j ACCEPT

what i've doing wrong ?

[egc]

It always helps if you state your router and build(number).
Furhtermore and more important state your problem.

Now you are presenting a solution and tell us it does not work, but for what problem?

From your earlier post I was under the impression you have an ISP router on 192.168.1.0/24 subnet and you connected a DDWRT router with its WAN port to the ISP router, the DDWRT router has subnet 192.168.77.0/24.

So you actually double NATted (not a problem).

From your secondary router you want to block access to your ISP router on subnet 192.168.1.0/24 (with the exception of your own client)

In that case you have to block forwarding to a destination address on 192.168.1.0/24

As a general rule you block access to the subnet of the WAN interface, and that is what the rule I mentioned in my earlier post is supposed to do.

so if you want this try it

If it works then under that rule set the rule to accept traffic from your own client and as it is inserted this rule will be executed first so that traffic from your own client is passed/accepted.

But maybe I am totally wrong and it is an entirely different problem in that case enlighten us