1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How can I disallow admin acces for daisy chained routers ?

Discussion in 'Tomato Firmware' started by Jenna, Jul 2, 2013.

  1. Jenna

    Jenna Reformed Router Member

    Hi.

    I'm using multiple routers with Tomato Shibby build 110 EN AIO.
    http://tomato.groov.pl/download/K26RT-N/build5x-110-EN/

    Internet--------->(wan)Router1(lan)>-------(wan)Router2
    192.168.15.1-----10.20.30.1---------------10.20.40.1

    Router2 gateway = 10.20.30.1
    Router2 can reach the internet
    Router 2 can't see 10.20.30.x (except .1)

    Problem; How can I block 10.20.30.1 admin access from router2 and still allow internet traffic ?
    I've tried the Administration>Admin Access (router1) without effect.
    Apparently it's for remote only and won't block downstream routers.

    Can anyone please offer a suggestion to block admin access for upstream routers
    on the same subnet ?

    Thank you.
     
  2. PGalati

    PGalati Network Guru Member

    This isn't fool proof but I simply changed the port number of the webgui that I know about that might take someone else awhile to scan for. I think it could also be done in a different way but I can seem to locate the appropriate thread.
     
  3. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Use iptables.

    If 40.1 is on it's own vlan you can just block the entire vlan using

    Code:
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
    If it's on the same vlan then you'll have to specify the ranges of ip/netmask in the rules.
     
  4. Jenna

    Jenna Reformed Router Member

    Malitiacurt, yes router 1 has vlan4 vid=4
    I tried your iptables (router1), it worked, thank you. Shouldn't these lines be
    'Inserted' after Table INPUT rule #3 instead of inserting rule #1 & #2 ?

    Here is: iptables -L -v -n --line-numbers
    Router1 [Before]
    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    num  pkts bytes target    prot opt in    out    source              destination
    1        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    2    2654  393K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    3        3  180 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
    4        0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0 
    5      323 19436 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0 
    6        0    0 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0 
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num  pkts bytes target    prot opt in    out    source              destination
    1        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0 
    2        0    0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0 
    3        1    80 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    4      40  2400 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    5      788  254K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    6        8  480 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0 
    7        0    0 DROP      all  --  br1    br0    0.0.0.0/0            0.0.0.0/0 
    8        0    0 wanin      all  --  vlan5  *      0.0.0.0/0            0.0.0.0/0 
    9      70  7628 wanout    all  --  *      vlan5  0.0.0.0/0            0.0.0.0/0 
    10      36  2466 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0 
    11      34  5162 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0 
     
    Chain OUTPUT (policy ACCEPT 3 packets, 428 bytes)
    num  pkts bytes target    prot opt in    out    source              destination
     
    Chain shlimit (1 references)
    num  pkts bytes target    prot opt in    out    source              destination
    1        3  180            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
    2        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
     
    Chain wanin (1 references)
    num  pkts bytes target    prot opt in    out    source              destination
     
    Chain wanout (1 references)
    num  pkts bytes target    prot opt in    out    source              destination 
    Router2 [Before]
    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    num  pkts bytes target    prot opt in    out    source              destination
    1        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    2      310 37449 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    3        1    60 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
    4        3  484 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0 
    5      35  2368 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0 
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num  pkts bytes target    prot opt in    out    source              destination
    1      10  600 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0 
    2        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    3        0    0 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    4        0    0 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    5        0    0 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0 
    6        0    0 wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0 
    7        0    0 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0 
     
    Chain OUTPUT (policy ACCEPT 355 packets, 262K bytes)
    num  pkts bytes target    prot opt in    out    source              destination
     
    Chain shlimit (1 references)
    num  pkts bytes target    prot opt in    out    source              destination
    1        1    60            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
    2        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
     
    Chain wanin (1 references)
    num  pkts bytes target    prot opt in    out    source              destination
     
    Chain wanout (1 references)
    num  pkts bytes target    prot opt in    out    source              destination
     
    
    AFTER MODIFICATION = Router1

    Code:
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    num  pkts bytes target    prot opt in    out    source              destination
    1        0    0 ACCEPT    udp  --  br1    *      0.0.0.0/0            0.0.0.0/0          multiport dports 53,67
    2        0    0 DROP      all  --  br1    *      0.0.0.0/0            0.0.0.0/0          state NEW
    3        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    4    4327  641K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    5        3  180 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
    6        0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0
    7      532 32018 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
    8        0    0 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num  pkts bytes target    prot opt in    out    source              destination
    1        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0
    2        0    0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0
    3        1    80 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    4      113  6780 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    5    1593  610K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    6        8  480 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0
    7        0    0 DROP      all  --  br1    br0    0.0.0.0/0            0.0.0.0/0
    8        0    0 wanin      all  --  vlan5  *      0.0.0.0/0            0.0.0.0/0
    9      110 10443 wanout    all  --  *      vlan5  0.0.0.0/0            0.0.0.0/0
    10      71  4566 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
    11      39  5877 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0
     
    Chain OUTPUT (policy ACCEPT 34 packets, 3416 bytes)
    num  pkts bytes target    prot opt in    out    source              destination
     
    Chain shlimit (1 references)
    num  pkts bytes target    prot opt in    out    source              destination
    1        3  180            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
    2        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
     
    Chain wanin (1 references)
    num  pkts bytes target    prot opt in    out    source              destination
     
    Chain wanout (1 references)
    num  pkts bytes target    prot opt in    out    source              destination      
    Would you place the iptables in the 'INIT' or 'FIREWALL' script section ?

    Thanks again.
    Jenna
     
  5. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Firewall section.
     
  6. Jenna

    Jenna Reformed Router Member

    Malitlacurt, OK.

    You didn't comment on the rule insertion, I've tried inserting the rules after #4 and it still works.
    Thanks for your advise.

    Cheers.

    [SOLVED]
     

Share This Page