1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Adding FW rules to supplement port fowarding

Discussion in 'Tomato Firmware' started by phuque99, Jan 31, 2009.

  1. phuque99

    phuque99 LI Guru Member

    After some tinkering, I found that the best way to supplement port forwarded host with specific firewall rules is to add it into the "wanin" chain. I've something like this added to protect my ftp server:

    iptables -I wanin -p tcp -d 192.168.1.5 --dport 21 -j DROP
    iptables -I wanin -p tcp -s 216.239.61.104 --dport 21 -m state --state NEW -j ACCEPT
    iptables -I wanin -p tcp --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT

    I used to do this on the FORWARD chain for ddwrt but Tomato has a different set of iptables that I'm not really familiar with. Is this the best way or would it be more efficient on a different chain?
     
  2. mstombs

    mstombs Network Guru Member

    wanin is just linked to FORWARD for packets that enter via the wan port. Can also put blocks in "-t nat PREROUTING"

    For tuning check the order and byte counters in the output of

    iptables -vnL

    and

    iptables -vnL - nat

    For efficiency you want to minimize the number of simplest rules that need to be checked, which may depend on usage pattern.
     
  3. phuque99

    phuque99 LI Guru Member

    You're right, FORWARD does work. It was my mistake, user problem. I used "logdrop" as my jump target instead of DROP. "logdrop" does not exist in Tomato, thus that rule didn't register.
     

Share This Page