IPTables, blocking access to a VLAN on br1

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
eric0321
DD-WRT Novice


Joined: 17 Nov 2010
Posts: 3

PostPosted: Wed Nov 17, 2010 14:38    Post subject: IPTables, blocking access to a VLAN on br1 Reply with quote
I have an Asus RT-N16 routher flashed with dd-wrt.v24-14896_NEWD-2_K2.6_big.bin

Created a separate WLAN by following this: http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

I don't want br1 to be able to access br0. I also don't want br1 to be able to access the web gui or ssh etc... on the router.

Here is what I have in my Administration -> Commands page, saved as a start-up script:

iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

When I connect to the WLAN on br1 I can still access the web gui of the wireless router at 192.168.2.1

Help, suggestions please?

Thank you

Eric
Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Nov 17, 2010 18:40    Post subject: Re: IPTables, blocking access to a VLAN on br1 Reply with quote
eric0321 wrote:
Here is what I have in my Administration -> Commands page, saved as a start-up script:

Quote:
Now that you have your WLAN's working you can start limiting what access they have. Here are several iptables commands that you can save to your firewall script on the Administration -> Commands page.


eric0321 wrote:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

You can remove the bolded rules that you got from another guide, they're not doing anything here.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
eric0321
DD-WRT Novice


Joined: 17 Nov 2010
Posts: 3

PostPosted: Wed Nov 17, 2010 18:57    Post subject: Reply with quote
Cool thanks.

I didn't notice the "Firewall Script" only start-up, shutdown, and run command. Looks like I need to use the "Save Firewall" button Smile Have to try when I get home.

I am also wanting to restrict users on br1 from trying to use their own DNS.

I believe I can add this to the end of my rules:

iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 192.168.2.1
iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 192.168.2.1

Would that take care of dns bypassing?
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Nov 17, 2010 19:52    Post subject: Reply with quote
eric0321 wrote:
I am also wanting to restrict users on br1 from trying to use their own DNS.

I believe I can add this to the end of my rules:

iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 192.168.2.1
iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 192.168.2.1

Would that take care of dns bypassing?

Yep.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
eric0321
DD-WRT Novice


Joined: 17 Nov 2010
Posts: 3

PostPosted: Wed Nov 17, 2010 19:56    Post subject: Reply with quote
Thanks for the help.

Great forum!

Eric
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum