1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Block SSH/Telnet/etc access from Guest-WLAN?

Discussion in 'Tomato Firmware' started by philess, Mar 5, 2013.

  1. philess

    philess Networkin' Nut Member

    Hey everyone,

    quick question: Can i block access to certain ports on the router just on one interface?

    I am quite sure it should work using iptables like this:

    iptables -I FORWARD -i br1 -p tcp --dport 22 -d -j REJECT --reject-with tcp-reset
    In this example my virtual SSID WLAN for guests is device br1 and the router has the IP there. I want to block access to port 22 (default SSH) from that network,
    while still allowing access from my private WLAN (br0 device). I added the iptables line
    to the firewall script box, did nvram commit and rebooted the router, but i still can access SSH.

    Do i need a sleep cycle in the firewall script maybe? And then restart iptables because maybe
    the SSH daemon is started after iptables and it overwrites it?
  2. lancethepants

    lancethepants Network Guru Member

    Perhaps the same rule needs to be applied to the INPUT chain as well.
    philess likes this.
  3. M_ars

    M_ars LI Guru Member

    i also think so. You need INPUT and not FORWARD
    philess likes this.
  4. Bird333

    Bird333 Network Guru Member

    You need to use input not forward as mentioned above.
    philess likes this.
  5. philess

    philess Networkin' Nut Member

    Thank you guys! I will test that later today. Replies have been greatly appreciated! :)
  6. darkknight93

    darkknight93 Networkin' Nut Member

    iptables -I INPUT -i br1 -p tcp --dport 22 -d -j REJECT --reject-with tcp-reset
  7. Monk E. Boy

    Monk E. Boy Network Guru Member

    In theory FORWARD should block traffic going out to the internet, while INPUT will block traffic directed at the router itself. If you want a single rule to do both you can create a rule on PREROUTING.
  8. gfunkdave

    gfunkdave LI Guru Member

    iptables -I INPUT 7 -p udp -m multiport --dports 53,67 -j ACCEPT  # allow DHCP and DNS services
    iptables -I INPUT 8 -i br1 -d  <router IP on guest VLAN> -j DROP
    iptables -I INPUT 9 -i br1 -d <router IP on regular VLAN> -j DROP
    Repeat the last two lines for each additional LAN IP the router has.

Share This Page