Iptables to allow internet but not lan

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Bushmaster2000
DD-WRT Novice


Joined: 03 Sep 2022
Posts: 2

PostPosted: Sat Sep 03, 2022 23:25    Post subject: Iptables to allow internet but not lan Reply with quote
I have an expressVPN router that says it's ddwrt at the core .

I have a different router I want to put a guest network on ip 10.1.1.0 it's wan port plugs into the express lan port.

The expressvpn router is 192.168.1.0.

So on that express router I did iptables forward 10 to 192 deny

But on the guest network I could still ping and http Lan 192 stuff and I don't want that. I just want 10 to pass thru to internet .

So I'm not sure if because this is expressvpn ddwrt that it won't do what I want or if what I did isn't the right thing

I could use some advise
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sun Sep 04, 2022 17:36    Post subject: Reply with quote
The lack of information about the guest router makes it difficult to provide accurate advice. What's the make and model? Does it support DD-WRT? Are you using DD-WRT? Is the WAN NAT'd?

Typically, when dealing w/ secondary router connected WAN to LAN wrt the primary router, you prevent access of the upstream network from the secondary router using the latter's IP firewall, NOT the primary router's IP firewall. But again, knowing nothing about the guest router, I don't know if that's even possible. Not unless it supports third-party firmware like DD-WRT, FreshTomato, Merlin, etc., where you do have that capability.

FWIW, the following script is (among other things) intended specifically to prevent such access. But it assumes the use of DD-WRT.

https://pastebin.com/1df1XsuK

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Bushmaster2000
DD-WRT Novice


Joined: 03 Sep 2022
Posts: 2

PostPosted: Mon Sep 05, 2022 1:49    Post subject: Reply with quote
The modem goes to wan port of a netgear r7000 running expressvpn firmware which is custom ddwrt3 with 192.x subnet.

Then one of the lan ports I have connected another r7000 running netgear firmware to create that guest 10.x subnet.

So the guest 10 net has to traverse thru the expressvpn router to get out to the internet

I was under the impression using two different subnets that the expressvpn ddwrt iptables could allow the guest to pass thru to wan but not talk to any 192.x addresses

From your link this line Is similar but different to what I did so I'll try it this way

iptables -I FORWARD -i br0 -d $WAN_NET -m state --state NEW -j REJECT
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Mon Sep 05, 2022 9:26    Post subject: Reply with quote
@Bushmaster2000 Welcome to our lively community.

In order to help us help you better please read the following.

These boards are for support and help with DD-WRT official builds as stated in our rules and guidelines, anything else support wise is the purview of the company who modified the firmware, they are paid to support their offerings, while we are users like you who volunteer for free.

Their firmware version is likely out of sync with DD-WRT and in many instances lack the features/options DD-WRT has in this case VPN side.

So, I would look at making a human readable backup of your settings by connecting to your rouetr via SSH/Telnet and issueing nvram show > /tmp/nvram-backup-some-date-id.txt and grabbing that to your desktop via scp or other method, then flashing a current version of DD-WRT found here and then resetting to defaults and re-configuring from scratch using the human readable backup as a guide.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12770
Location: Netherlands

PostPosted: Mon Sep 05, 2022 9:36    Post subject: Reply with quote
Bushmaster2000 wrote:
The modem goes to wan port of a netgear r7000 running expressvpn firmware which is custom ddwrt3 with 192.x subnet.

Then one of the lan ports I have connected another r7000 running netgear firmware to create that guest 10.x subnet.

So the guest 10 net has to traverse thru the expressvpn router to get out to the internet

I was under the impression using two different subnets that the expressvpn ddwrt iptables could allow the guest to pass thru to wan but not talk to any 192.x addresses

From your link this line Is similar but different to what I did so I'll try it this way

iptables -I FORWARD -i br0 -d $WAN_NET -m state --state NEW -j REJECT


@eibgrad already said it all Smile

The rule you are referring to should be set on the secondary router so on our R7000 running stock firmware.

But not sure if that is possible as we do not support stock firmware and neither do we support expressvpn.

Consider upgrading both routers to DDWRT

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum