Posted: Wed Sep 30, 2009 13:49 Post subject: Only allow certain incoming IP addresses to specific ports
I'd like to lock down a few ports to only allow access from specific IP addresses. Does DD-WRT support this and if so, how would I go about configuring this? Are wildcards or ranges allowed?
You should be able to do this with Iptables. I'm not sure about wildcards but you can use ranges. Check the Iptables command page in wiki. Maybe "Allow HTTP traffic only to specific domain(s)" part will give you an idea.
Every build can use CIDR masks for IP source/destination fields in iptables but if you want to specify specific ranges then you'll need the iprange match which isn't included by default in many builds. Port ranges are supported in all builds. Put them in your firewall script on the admin->commands page.
iptables -I FORWARD -p tcp --dport 5555 -j DROP
iptables -I FORWARD -s 1.1.1.0/24 -p tcp --dport 5555 -j ACCEPT
iptables -I FORWARD -s 5.5.5.5 -p tcp --dport 5555:5560 -j ACCEPT _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Last edited by phuzi0n on Thu Oct 01, 2009 17:36; edited 1 time in total
I thought I was all set. It turns out I need more entries than the web interface will allow (it truncates the list). Do you happen to know where the firewall config. script is stored on the router so I can edit it directly?
You're probably running into the nvram limit. The first thing to do is make sure your rules are as concise as they can be so that they have minimal performance impact and require less storage. If they're as concise as they can be then you could start using shell variables to make them use less storage space. If they still don't fit then you'll have to use another method of storage such as JFFS or a CIFS/Samba share. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)