Blocking devices access to my media server

Discussion in 'Tomato Firmware' started by Mad_Clown, Jul 15, 2014.

  1. Mad_Clown

    Mad_Clown LI Guru Member

    I have a media server using Shibby v121 and is there any way I can block some devices from accessing my media server? I've looked through the settings and I can't find anything that would do it.
  2. mmosoll

    mmosoll Networkin' Nut Member

    Media/DLNA Server use a specific port, I don't use it but you can block a port for a specific IP of your LAN using iptables. For example to permit IP on port 9000 and block others devices you can use:

    iptables -A INPUT -p tcp --dport 9000 -s -j ACCEPT
    iptables -A INPUT -p tcp --dport 9000 -j DROP

    I think you can find many examples on this forum, I am not very familiar with iptables.
  3. mmosoll

    mmosoll Networkin' Nut Member

    Last edited: Jul 15, 2014
  4. remlei

    remlei Networkin' Nut Member

    Block it via iptables

    iptables -I PREROUTING -i br+ -m mac --mac-source AA:BB:CC:DD:EE:FF --dport 'nvram get ms_port' -d 'nvram get lan_ipaddr' -j DROP
  5. Mad_Clown

    Mad_Clown LI Guru Member

    I don't really know much about iptables but if this works then i'll have to learn it. Thanks for the help.
  6. Monk E. Boy

    Monk E. Boy Network Guru Member

    Give the device(s) you don't want to access the media service a fixed DHCP lease (or leases), then block it from accessing the media server. e.g.

    iptables -I INPUT -p tcp --dport 9000 -s -j DROP

    The trick is figuring out what protocol(s) and port(s) the media server uses.

    I would stay away from prerouting since that applies to most traffic passing through the router. INPUT is only looked at when the traffic is directed at the router itself.
  7. gfunkdave

    gfunkdave LI Guru Member

    Since both devices are on the same LAN segment, I don't see how this would work. They will directly connect and not be routed.

    I suspect you'd need to put your media server on a separate VLAN.
  8. jerrm

    jerrm Network Guru Member


    It's not clear if this is a separate media server box or the Tomato DLNA server running on the router.

    If the server is running on the router, then some variation of the suggested INPUT rules should work. If the server is a separate box, then placing on a separate VLAN port would be necessary.
    Last edited: Jul 16, 2014
  9. Mad_Clown

    Mad_Clown LI Guru Member

    It's just a hard drive connected to the router, so i'm just using Tomato DLNA server.
  10. Mad_Clown

    Mad_Clown LI Guru Member

    I got it working using iptable rules similar to the ones above. Although I changed the port number from random to a specific one in the media server settings. When I was testing it though -A INPUT didn't work but -I INPUT did. I think it has to do because of where those place the rules.
  11. koitsu

    koitsu Network Guru Member

    Correct -- -A appends a rule to the end of the chain, -I inserts a rule into the chain (and if you don't specify where/what index to insert at, it inserts at index 0 (meaning the very top/start of the chain)). Use --line-numbers to get index numbers (why iptables doesn't default to showing this is beyond me -- firewall rule order is incredibly important in any firewall!).

    Be careful using -I, however: there are rules that should always remain at the top of the chain to ensure that certain kinds of non-valid-state traffic is blocked and traffic which is already marked as statefully established is not blocked (i.e. existing connections that are in progress). Example:

    Chain INPUT (policy DROP 732 packets, 62452 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1      570 28644 DROP       all  --  *      *             state INVALID
    2      381 58689 ACCEPT     all  --  *      *             state RELATED,ESTABLISHED
    3        6  1068 ACCEPT     all  --  lo     *  
    4     6617  920K ACCEPT     all  --  br0    *  
    5    47321 3018K ACCEPT     icmp --  *      *  
    6        3    84 ACCEPT     udp  --  *      *             udp dpts:33434:33534
    7     6959 2435K ACCEPT     udp  --  *      *             udp spt:67 dpt:68
    8        1    60 ACCEPT     tcp  --  *      *             tcp dpt:113 flags:0x17/0x02
    The above output was obtained using iptables -L -n -v --line-numbers.

    In this example, considering what you're trying to do (block people from reaching your router), you would want to insert your rules at index 4 or possibly index 6. The rules shown at indexes 1, 2, 3, and 4 are incredibly important (especially 1-3), although if you're trying to block certain kinds of traffic directed at the router itself, you may want to insert the rule at index 4 (i.e. in front of the "accept all packets incoming on interface br0").

    To insert at a specific index number, use iptables -I {chain} {index}, ex. iptables -I INPUT 4 -s -p tcp -j DROP would insert the rule in question at index 4 and push everything else down (e.g. previous rule 4 becomes rule 5, previous rule 5 becomes rule 6, etc.).

    Likewise, to delete a specific rule, you can delete it by its index number using iptables -D {chain} {index}, ex. iptables -D INPUT 4.

    Make sense?
  12. Mad_Clown

    Mad_Clown LI Guru Member

    Yeah that makes sense, thanks for the information. I did what you said and moved the rules in front of the allow all on br0 rule. It still works just fine.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice