block port with iptables

Discussion in 'Tomato Firmware' started by menc, May 5, 2008.

  1. menc

    menc Addicted to LI Member

    Hi people,

    I've been using tomato for a while, but now this got me stuck.. i've been trying to block a port with iptables but with no success? here are the commands i'm typing thru telnet.

    # iptables -A OUTPUT -s -p udp --dport 25 -j REJECT
    # service iptables restart

    # iptables -A OUTPUT -s -p tcp --dport 25 -j REJECT
    # service iptables restart

    then on the computer with the IP I do a telnet to my mail on port 25 and works like charm, why the router is not blocking the request? I've also tried changing OUTPUT for INPUT and REJECT for DROP, but nevertheless keeps connecting :(

  2. mstombs

    mstombs Network Guru Member

    You should use "-I FORWARD" -I inserts the rule at the top of the list, to make sure nothing else can accept it! OUTPUT only controls output from the router not what is routed through it.

    You shouldn't need "service iptables restart", but when it works from the command line you should put it in the firewall script whic is run just before the WAN is brought up/reconnected. Its possible manual entries get flushed on a WAN-DOWN/WAN-UP event.
  3. HennieM

    HennieM Network Guru Member

    1) You are using 192.168.0.x. Is your router not 192.168.1.x?

    2) You must not do "service iptables restart". When you add a rule to iptables, it's there. When you do a restart, it clears all rules, and then apply the rules set up in the config, and thus deletes your added rule.

    3) If you want to block access FROM the PC TO the router (assumed, you want to do

    iptables -A INPUT-s -p tcp --dport 25 -j REJECT

    The OUTPUT rule is for stuff going out of the router, while the INPUT rule is for connections TO the router.

    4) Once the rule works, add it to the Administartion > Scripts > Firewall script, then you don't have to telnet or ssh into the router to apply the rule.
  4. menc

    menc Addicted to LI Member

    really thanks for your fast responses, I know I can do this at the "Access restriction" GUI, but I wanted to learn a bit about iptables :p

    1) the IP is right, I changed the default because I thought It will be more secure that way, dunno.. anyway i like it the way it is :p

    2) Good point, I had no Idea restart would erase my rule.

    3) I don't know if it is to the router.. I mean, i'm just doing and small test to see if I can catch how to set up some basic rules.

    I got one PC at, and I do a telnet to some ISP ( outside the router.. actually on internet ) mail at port 25, and it get connected.. now I wanted to block that, just to know how to do it.

    I've tried with this new lines and none of them worked :(

    # iptables -A INPUT -s -p tcp --dport 25 -j REJECT
    # iptables -A OUTPUT -s -p tcp --dport 25 -j REJECT
    # iptables -I OUTPUT -s -p tcp --dport 25 -j REJECT
    # iptables -I INPUT -s -p tcp --dport 25 -j REJECT

    Actually, I can block it doing it so on the "Access Restriction",and it works like a charm, but I wanted to do it manually.. so this is just an experiment.. any ideas why is not working?

  5. nvtweak

    nvtweak LI Guru Member

    none of your rules filter FORWARDed traffic. go back and read mstombs post.
  6. HennieM

    HennieM Network Guru Member

    Yeah, use FORWARD and PREROUTING rules for stuff being routed THROUGH Tomato. (I thought you were running a mail server on Tomato, hence the INPUT rule suggested...).
  7. menc

    menc Addicted to LI Member

    my mistake :rolleyes:

    # iptables -I FORWARD -s -p tcp --dport 25 -j REJECT

    now works like a charm! :biggrin:, thanks to you all!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice