1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

block all port, selectively allow?

Discussion in 'Tomato Firmware' started by tesna, Aug 24, 2009.

  1. tesna

    tesna Guest

    Hello,

    I'd like to block all ports then selectively allow on Tomato, is it possible to do this?

    I searched around and found some scripts, but it seems does not work?

    I tried:
    Code:
    clientstargeted = "10.0.2.0/24"
    destargeted="anywhere"
    iptables -I FORWARD -s $clientstargeted -d $destargeted -p all --dport 1:20 -j DROP
    iptables -I FORWARD -s $clientstargeted -d $destargeted -p all --dport 23:52 -j DROP
    iptables -I FORWARD -s $clientstargeted -d $destargeted -p all --dport 54:79 -j DROP
    iptables -I FORWARD -s $clientstargeted -d $destargeted -p all --dport 81:109 -j DROP
    iptables -I FORWARD -s $clientstargeted -d $destargeted -p all --dport 111:122 -j DROP
    iptables -I FORWARD -s $clientstargeted -d $destargeted -p all --dport 113:442 -j DROP
    iptables -I FORWARD -s $clientstargeted -d $destargeted -p all --dport 444:464 -j DROP
    iptables -I FORWARD -s $clientstargeted -d $destargeted -p all --dport 465:994 -j DROP
    iptables -I FORWARD -s $clientstargeted -d $destargeted -p all --dport 996:5049 -j DROP
    iptables -I FORWARD -s $clientstargeted -d $destargeted -p all --dport 5051:9949 -j DROP
    iptables -I FORWARD -s $clientstargeted -d $destargeted -p all --dport 9951:65535 -j DROP
    
    and put them it firewall script tab, I still can connect to blocked ports :confused:

    Tried this too:
    Code:
    clientstargeted = "10.0.2.0/24"
    iptables -I FORWARD -s $clientstargeted --dport 80 -j ALLOW
    iptables -I FORWARD -s $clientstargeted --dport 443 -j ALLOW
    iptables -I FORWARD -s $clientstargeted --dport 465 -j ALLOW
    iptables -I FORWARD -s $clientstargeted --dport 995 -j ALLOW
    iptables -I FORWARD -s $clientstargeted --dport 20 -j ALLOW
    iptables -I FORWARD -s $clientstargeted --dport 21 -j ALLOW
    iptables -I FORWARD -s $clientstargeted --dport 22 -j ALLOW
    iptables -I FORWARD -s $clientstargeted --dport 5050 -j ALLOW
    iptables -I FORWARD -s $clientstargeted -j DROP
    
    It's does not work also :( Yes I've restarted the router after I putting then in the firewall script page. I don't have upnp enabled either. I'm on WRT54GL and tomato 1.25 (original)

    Any suggestions?
     
  2. ntest7

    ntest7 Network Guru Member

    using the command
    iptables -I ...
    inserts the rule in the table as the first rule. Since your last action is to insert a DROP rule, everything matches that. The order makes a big difference.

    I use something like:

    iptables -I wanout -p TCP -j REJECT --reject-with tcp-reset
    iptables -I wanout -p TCP --dport 80 -j ACCEPT # www
    iptables -I wanout -p TCP --dport 443 -j ACCEPT # https
    ...
     

Share This Page