1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Firewall help

Discussion in 'Tomato Firmware' started by boboxx, Jan 8, 2014.

  1. boboxx

    boboxx Reformed Router Member

    Hello,

    I'm trying to restrict a specific PC on my network to only have access for web browsing, I have 3 vlans and a few bridge wireless and I tried implementing this as a rule but its not working.

    iptables -I INPUT -i br1 -p tcp --dport 53 -s 192.168.2.34 -j ACCEPT
    iptables -I INPUT -i br1 -p udp --dport 53 -s 192.168.2.34 -j ACCEPT
    iptables -I FORWARD -i br1 -p tcp --dport 80 -m state --state NEW -s 192.168.2.34 -j ACCEPT
    iptables -I FORWARD -i br1 -m state --state RELATED,ESTABLISHED -s 192.168.2.34 -j ACCEPT

    Anyone know what the issue could be?

    Thanks
     
  2. lollekatt

    lollekatt Reformed Router Member

    I'm a mong with iptables but try replacing the two last lines with -A OUTPUT and also try (with or without two more lines) and shout out if it worked... eg.:

    iptables -I INPUT -i br1 -p tcp --dport 53 -s 192.168.2.34 -j ACCEPT
    iptables -I INPUT -i br1 -p udp --dport 53 -s 192.168.2.34 -j ACCEPT
    #above look fine, now change to OUTPUT
    iptables -A OUTPUT -i br1 -p tcp --dport 80 -m state --state NEW -s 192.168.2.34 -j ACCEPT
    iptables -A OUTPUT -i br1 -m state --state RELATED,ESTABLISHED -s 192.168.2.34 -j ACCEPT
    # make sure nothing comes or goes out of this box
    iptables -A INPUT -i br1 -j DROP
    iptables -A OUTPUT -i br1 -j DROP


    Please let me/us know, since in general, I am absurd in helping on iptables.

    edit: you should also probably add 443 for https.
     
    Last edited: Jan 9, 2014
  3. koitsu

    koitsu Network Guru Member

    I don't think these rules are in the right chain, and in fact I think they're not even in the right table (they should probably be in nat, not filter (default)). I'm not sure if you'd want them in the PREROUTING or POSTROUTING chain though.

    I can't be of more help than this.
     
  4. vmixus

    vmixus Serious Server Member

    Try both options (one at a time) and see which works best
    The order is important so enter them as they appear.

    Assuming IP you want to restrict is 1.2.3.4
    Modify value for -s to specify IP you want restricted

    OPTION 1:
    Code:
    # Restrict router access from 1.2.3.4
    iptables -I INPUT -i br1 -s 1.2.3.4 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -s 1.2.3.4 -p udp -m multiport --dports 53,67 -j ACCEPT
    
    OPTION 2:
    Code:
    # Restrict access to router config and block FTP, SSH, TELNET, HTTP, HTTPS
    iptables -I INPUT -s 1.2.3.4 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP
    
    # Restrict access to LAN
    # Modify value for -d to specify ip subnet on your LAN you want to block access to
    iptables -t nat -I PREROUTING -i br1 -s 1.2.3.4 -d 192.168.1.0/24 -j DROP
    
     
  5. boboxx

    boboxx Reformed Router Member

    Ok thanks guys I will give it a try when I'm back home.

    In Option #2 If I would to _allow_ the user to the internet, shouldn't this be a accept?
    iptables -I INPUT -s 1.2.3.4 -p tcp -m multiport --dports 21,22,23,80,443 -j DROP <------
     
  6. vmixus

    vmixus Serious Server Member

    The rule is correct and as the comment above the rule indicates, it's to restrict access to router config.
    INPUT, is for packets headed to the router.
    FORWARD, is for packet headed through the router.

    As that rule is on the INPUT table, the rule is saying to restrict traffic destined for those ports on the router.
     
  7. vmixus

    vmixus Serious Server Member

    Another possible way to accomplish this which just occurred to me was if the client you need to isolate is a wireless client, then simply enable "AP Isolation" under "Advanced Wireless" and that should make it so the wireless clients can't see each other.
     
  8. boboxx

    boboxx Reformed Router Member

    ah ok thanks..


    But what I'm trying to do is prevent that computer to use/access everything except a web page (no ftp, no smtp, no https, no ssh etc).

    I only want it to have access to http, dns, and dhcp.
     
  9. vmixus

    vmixus Serious Server Member

    In that case, try this then.
    Code:
    # Block all traffic except HTTP (HTTPS won't work either)
    iptables -I FORWARD 1 -i br1 -s 1.2.3.4 -p tcp -m multiport --dports 80 -j ACCEPT
    iptables -I FORWARD 2 -i br1 -s 1.2.3.4 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD 3 -i br1 -s 1.2.3.4 -j DROP
    
    If it doesn't work, try excluding "-i br1" for all 3 rules. Also, you might need to incorporate some of the other rules previously mentioned above depending on what else you need to lock down.
     
    Last edited: Jan 9, 2014
  10. vmixus

    vmixus Serious Server Member

  11. boboxx

    boboxx Reformed Router Member

    Can you tell me what the 1, 2, 3 does after the forward?

    Edit: I think I found it :)

    Is that what they mean by rulenum?

    iptables [-t table] -I chain [rulenum] rule-specification

    -I, --insert chain [rulenum] rule-specification
    Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified.
     
    Last edited: Jan 9, 2014
  12. vmixus

    vmixus Serious Server Member

    Yea you got it.
    Also the -I without any trailing number defaults to 1, so essentially inserting the rule at the top of the chain.
    That's why the above rules in the Option 1 + 2 are listed in reverse order so that when you put then in using -I they'll end up in the right order at the top of the chain.

    Here's some more info on iptables if you're interested.
     

Share This Page