1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking private IP traffic outbound to WAN?

Discussion in 'Tomato Firmware' started by acollado, Dec 28, 2009.

  1. acollado

    acollado Addicted to LI Member

    How do you setup the firewall in Tomato to block traffic outbound to private IP space (RFC1918)?

    i.e.
    10.0.0.0 - 10.255.255.255 (10/8)
    172.16.0.0 - 172.31.255.255 (172.16/12)
    192.168.0.0 - 192.168.255.255 (192.168/16)

    My cable ISP uses private IPs in it's network, so when I trace to 192.168.2.1 my router passes the request off through the WAN interface and it actually traces out to a location several hops away.

    I want private IP requests to stay internal to my LAN.
     
  2. acollado

    acollado Addicted to LI Member

    Would these rules added to the firewall script work?

    iptables -I FORWARD -d 192.168.0.0/16 -j DROP
    iptables -I FORWARD -d 172.16.0.0/12 -j DROP
    iptables -I FORWARD -d 10.0.0.0/8 -j DROP
     
  3. acollado

    acollado Addicted to LI Member

    Now I've got a problem. My cable modem has a diagnostic page at 192.168.100.1 accessible through the WAN port of the router. The above rules block access.

    Changing the rules to this doesn't seem to work:
    iptables -I FORWARD -d 192.168.100.1/32 -j ACCEPT
    iptables -I FORWARD -d 192.168.0.0/16 -j DROP
    iptables -I FORWARD -d 172.16.0.0/12 -j DROP
    iptables -I FORWARD -d 10.0.0.0/8 -j DROP

    Any hints from those more experienced?
     
  4. rhester72

    rhester72 Network Guru Member

    Sure. The IP in question is part of the IANA reserved private range and will not be accessible from anything outside the private subnet.

    What makes you think it should be accessible "through the WAN port"?

    Rodney
     
  5. acollado

    acollado Addicted to LI Member

    Because it is. 192.168.100.1 is the VERY common diagnostic page address of almost any cable modem without a router built in.

    I've been using them for 10 years by way of countless modem models and 4 different cable ISPs.

    I currently access it that way as well locally and remotely (through a port forward, i.e. public_address:1980 -> 192.168.100.1:80).
     
  6. acollado

    acollado Addicted to LI Member

    Here's a couple of examples:
    C:\me>tracert 192.168.2.1

    Tracing route to 192.168.2.1 over a maximum of 30 hops

    1 1 ms 1 ms 1 ms Hub_router [192.168.3.1]
    2 18 ms 11 ms 12 ms cpe-75-83-56-1.socal.res.rr.com [75.83.56.1]
    3 18 ms 12 ms 9 ms 76.167.9.253
    4 14 ms 14 ms 15 ms cpe-66-75-149-58.socal.rr.com [66.75.149.58]
    5 * * * Request timed out.
    6 * * * Request timed out.
    7 * * * Request timed out.
    8 * ^C


    C:\me>tracert 192.168.100.1

    Tracing route to 192.168.100.1 over a maximum of 30 hops

    1 1 ms 1 ms 1 ms Hub_router [192.168.3.1]
    2 2 ms 1 ms 1 ms 192.168.100.1

    I want the first trace, to 192.168.2.1, blocked at the router. The second trace, to 192.168.100.1, allowed.

    Basically I want my private network private and not part of my ISPs private network. Other than the modem diagnostic page (which I can't change), I don't want traffic for private IP space passing over my WAN link.
     

    Attached Files:

  7. jan.n

    jan.n Addicted to LI Member

    Does it do this at all? I always thought that in the default Tomato config it didn't...
     
  8. RonWessels

    RonWessels Network Guru Member

    So close.

    The "-I" option to iptables inserts the rule at the beginning of the rule chain. Since you execute the other iptables blocking rules lexically after the rule for 192.168.100.1, they get inserted above this rule, so the rule for 192.160.0.0/16 will apply first. Simply move the first line to the end and try again.
     
  9. acollado

    acollado Addicted to LI Member

    Thank you, swapping the rules around works, blocking all the private subnet traffic across the WAN link except for the modem diagnostic page.
     

Share This Page