[securedparty]

I've basically got my needs accomplished to a certain degree, but I'm running into an issue that I haven't been able to readily solve. I don't know if I'm making a goof up somewhere, or what.

Basically, I've got a NAS appliance that has some server capabilities and I'm basically restricting all outgoing AND incoming traffic except for specific ports and reasons.

I've got allowances for incoming traffic for HTTP/HTTPS as it has a web server function. There's also an allowance for outgoing NTP traffic so that it can update it's local time and all of my devices point to the NAS as a time server so that locally all of my devices on my network can simply point to it for updates.

The final command in the list is to block all outgoing traffic. If I understand correctly, this command being last just basically closes off traffic to anything that was not earlier specified.

The NAS device uses IP 10.10.0.5 locally. The DD-WRT gateway with the rules setup in the command line for firewall rules is model MR7500 on r60269.

The latest I am trying to accomplish is allowing the NAS to connect out to specific IP addresses to allow for DDNS updates, but it doesn't seem to work.

[ho1Aetoo]

First of all, you shouldn't work with line numbers because you're doing it wrong.

Let's count

1 any rule
2 iptables -I FORWARD -i wan -p tcp -d 10.10.0.5 --dport 2100:2121 -j ACCEPT
3 iptables -I FORWARD -i wan -p tcp -d 10.10.0.5 --dport 21 -j ACCEPT
4 iptables -I FORWARD -i wan -p tcp -d 10.10.0.5 --dport 443 -j ACCEPT
5 iptables -I FORWARD -i wan -p tcp -d 10.10.0.5 --dport 80 -j ACCEPT

6 iptables -I FORWARD -p tcp -s 10.10.0.5 -d 158.247.7.204 -j ACCEPT)
7 iptables -I FORWARD -p tcp -s 10.10.0.5 -d 204.16.169.46 -j ACCEPT)
8 iptables -I FORWARD -p tcp -s 10.10.0.5 -d 204.16.169.60 -j ACCEPT

9 iptables -I FORWARD 9 -s 10.10.0.5 -j DROP

10 iptables -I FORWARD -p tcp -s 10.10.0.5 -d 172.235.58.235 -j ACCEPT <- cannot work
11 iptables -I FORWARD -p tcp -s 10.10.0.5 -d 158.247.7.200 -j ACCEPT <- cannot work
12 iptables -I FORWARD -p tcp -s 10.10.0.5 -d 158.247.7.199 -j ACCEPT <- cannot work

And if further rules are added (and some rules may even be added twice), then this shifts even further—with the result that nothing works anymore.

[securedparty]

So removing the line numbers appears to be one approach.

I also understand that rules appearing after what was referenced as line 9 will not work. This is understood already. There is nothing that occurs afterwards.

So, in nixing the line numbers I am left with this.

[ho1Aetoo]

You have to reverse the order.

Each rule is inserted at the beginning of the table so that the last rule is the first and blocks everything.

[securedparty]

[ho1Aetoo]

Yes, block it first and then allow it.
The “I” insert means that the rules are always added at the beginning of the chain.

First, the “drop” is at the beginning, and the rules that follow cause the “drop” to slide further down.

With “iptables -vnL FORWARD” you can see the chain.

[securedparty]

Your posts were immensely helpful in helping me to accomplish my goals. While I did not use the exact method you were speaking, I learned from it and was then able to accomplish the desired end.

Thank you!

I did send a message to you. I would like to render a courtesy.