1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables issue or just a missing setting?

Discussion in 'Tomato Firmware' started by Funkoid, Aug 29, 2013.

  1. Funkoid

    Funkoid Serious Server Member

    I'm running Shibbys latest tomato build and am seriously impressed with the project, its simply awesome.

    As part of my configuration I've set up two ssids for guest wireless access, one is on 192.168.254.x (Guest Wireless LAN1(br1)) and the other is on 192.168.1.x (Main LAN LAN(br0)).

    3 VLANS are configured:-

    1 bridged to LAN (br0)
    2 bridged to WAN
    3 bridged to LAN1 (br1)

    Wireless bridge settings are as follows:-

    Bridge eth1 to LAN(br0)
    Bridge wl0.3 to LAN1(br1)

    Essentially I want br0 to have access to everything but br1 to only have basic internet access, particularly I don't want br1 to gain any form of access to br0 e.g. a 192.168.254.x address shouldn't be able to ping 192.168.1.22 ... thing is it does even with the following iptables rule entries in.

    Code:
    #Removes Guest Access To Physical Network
    iptables -I FORWARD 1 -i br1 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD 2 -i br0 -o br1 -m state --state NEW -j DROP
    
    #Removes guest access to the router config
    iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
    
    #Allow br1 to access http/https to internet
    iptables -I FORWARD 3 -i br1 -p tcp -m multiport --dports 80,443 -j ACCEPT
    iptables -I FORWARD 4 -i br1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #Drop everything else on br1
    iptables -I FORWARD 5 -i br1 -j DROP
    If I connect on the br1 guest wifi access with my mobile I get the correct DHCP allocated address but I can ping out from Net Analyzer Lite to a 192.168.1.x address. Whats strange is that if I do the same, but from a windows machine I don't get a reply when pinging the mobile.

    Do the above iptables look okay? Am I missing something?
     

Share This Page