1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Firewall rules for Tomato VLAN

Discussion in 'Tomato Firmware' started by JJack, Dec 1, 2013.

  1. JJack

    JJack Serious Server Member

    Hello Gentlemen,
    I'm trying to get my firewall to prevent wireless and/or wired users on 'br1' from being able to access the router, (and modem if possible). I tried the firewall rules on another post but it didn't work so I deleted them and hard-reset the router.

    I have included some screenshots and the iptable list. Would one of you fine gentleman be so kind as to impart some of your wisdom? I would be ever so grateful.

    BTW, the Modem is at: 192.168.100.1
    VLAN-Linksysinfo-org-4.jpg VLAN-Linksysinfo-org-2.jpg VLAN-Linksysinfo-org.jpg
    Code:
    Chain INPUT (policy DROP 246 packets, 17074 bytes)
    num  pkts bytes target    prot opt in    out    source              destination         
    1        9  691 DROP      all  --  any    any    anywhere            anywhere            state INVALID 
    2      347 65433 ACCEPT    all  --  any    any    anywhere            anywhere            state RELATED,ESTABLISHED 
    3        0    0 shlimit    tcp  --  any    any    anywhere            anywhere            tcp dpt:ssh state NEW 
    4        0    0 ACCEPT    all  --  lo    any    anywhere            anywhere           
    5      136 11898 ACCEPT    all  --  br0    any    anywhere            anywhere           
    6      629 55790 ACCEPT    all  --  br1    any    anywhere            anywhere           
    7      56 18734 ACCEPT    udp  --  any    any    anywhere            anywhere            udp spt:bootps dpt:bootpc 
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num  pkts bytes target    prot opt in    out    source              destination         
    1    1747  661K            all  --  any    any    anywhere            anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan 
    2    7844 4587K            all  --  any    any    anywhere            anywhere            account: network/netmask: 192.168.55.0/255.255.255.0 name: lan1 
    3        0    0 ACCEPT    all  --  br0    br0    anywhere            anywhere           
    4        0    0 ACCEPT    all  --  br1    br1    anywhere            anywhere           
    5        0    0 DROP      all  --  any    any    anywhere            anywhere            state INVALID 
    6      783 40408 TCPMSS    tcp  --  any    any    anywhere            anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
    7    9018 5204K ACCEPT    all  --  any    any    anywhere            anywhere            state RELATED,ESTABLISHED 
    8        0    0 DROP      all  --  br0    br1    anywhere            anywhere           
    9        4  240 DROP      all  --  br1    br0    anywhere            anywhere           
    10      0    0 wanin      all  --  vlan2  any    anywhere            anywhere           
    11    565 42964 wanout    all  --  any    vlan2  anywhere            anywhere           
    12    240 25751 ACCEPT    all  --  br0    any    anywhere            anywhere           
    13    325 17213 ACCEPT    all  --  br1    any    anywhere            anywhere           
    Chain OUTPUT (policy ACCEPT 616 packets, 227K bytes)
    num  pkts bytes target    prot opt in    out    source              destination         
    Chain shlimit (1 references)
    num  pkts bytes target    prot opt in    out    source              destination         
    1        0    0            all  --  any    any    anywhere            anywhere            recent: SET name: shlimit side: source 
    2        0    0 DROP      all  --  any    any    anywhere            anywhere            recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source 
    Chain wanin (1 references)
    num  pkts bytes target    prot opt in    out    source              destination         
    Chain wanout (1 references)
    num  pkts bytes target    prot opt in    out    source              destination  
     

    Attached Files:

  2. shadowken

    shadowken Networkin' Nut Member

    Try this , it will block access to the router (but not sure if it will block access to the modem web management ) :
    iptables -I INPUT -i br1 -p tcp --dport 80 -j REJECT --reject-with tcp-reset
     
    Last edited: Dec 1, 2013
  3. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Code:
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
     
  4. darkknight93

    darkknight93 Networkin' Nut Member

    For blocking access to the modems website I use

    #Access CM Page block
    iptables -I FORWARD -i br1 -d 192.168.100.1 -j DROP
     
  5. JJack

    JJack Serious Server Member

    Thank you all for your replies. I have tried all of them --and reboot the router between each test.

    @shadowken
    The rule you supplied does block access to the router, but not the modem.

    @Malitiacurt
    The rules you suggested worked for the router, but still did not block access to the modem.

    @darknight93
    The rule you provided did block access to the modem, but not the router.

    Still looking for a way to block both the router, and the modem. Unfortunately, I'm not well versed enough to create my own rules. Do you have any other suggestions?
     
  6. shibby20

    shibby20 Network Guru Member

    just use both iptables rules!
     
  7. JJack

    JJack Serious Server Member

    Thanks Shibby, which ones?
     
  8. JJack

    JJack Serious Server Member

    I failed to mention that I must also allow printer access on 'br0' from clients on 'br1'.

    The printer IP is on my primary LAN 'br0' with IP 192.168.50.136
     
  9. shadowken

    shadowken Networkin' Nut Member

    JJack ,
    Use both to block the access to (router & modem) :
    iptables -I INPUT -i br1 -p tcp --dport 80 -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br1 -d 192.168.100.1 -j DROP

    As for allowing access to printer on br0 , you can easily specify this in Lan bridging under advanced menu .

    Or use the below :
    iptables -I FORWARD -i br1 -o br0 -d 192.168.50.136 -j ACCEPT

    Sent from my GT-I9300 using Tapatalk
     
  10. JustinChase

    JustinChase Reformed Router Member

    How did you determine the printer's IP address. I have a printer installed on my br0 network, and can access and print to it from laptops connected to that LAN, but I can't find any IP for that device. This is all I can see of the printer from the Tomato firmware...

    upload_2013-12-6_14-14-10.png
     
  11. JJack

    JJack Serious Server Member

    @JustinChase
    Navigate to: Status -> Device List
    The IP's associated with each client are listed here.
     
  12. JustinChase

    JustinChase Reformed Router Member

    Unfortunately, the printer is not listed, so I can't see the IP address from there :(
     

Share This Page