1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables script

Discussion in 'Tomato Firmware' started by peyton, Mar 20, 2009.

  1. peyton

    peyton LI Guru Member

    I'm not very familiar with iptables and i want your advices.
    I tried to block all P2P within tomato GUI but it's not working. Torrent seems to be blocked but some users can download with limewire so i decide to do a whitelist port but i'm not really sure of it !
    iptables -I FORWARD -p tcp --src-range -m mport --dports 21,25,80,110,143,443,465,993,995 -j ACCEPT
    iptables -I FORWARD -p udp --src-range --dport 53 -j ACCEPT
    iptables -I FORWARD -p icmp --src-range -j ACCEPT
    iptables -I FORWARD --src-range -j DROP
    As you can guess my range is from 10 to 120 and i'll only allow http/s,smtp/s,pop/s,ftp,imap/s and dns

    Do i have to put a destination or it's not necessary ?
  2. jza80

    jza80 Network Guru Member

    1. Did you fat finger the IP addresses in your post? should be

    2. FTP uses 2 ports (20 and 21). One for data and another for control.

    I didn't have any luck getting FTP to work, so I used SFTP which uses TCP port 22.

    3. Not sure if its necessary to specify a destination, but I did when I was playing with firewall rules. -d 0/0 in my rules below = destination any/any.

    4. You'll want to place a number after the FORWARD in the rules, so the rules get inserted (-I) in order. The rules are checked from top to bottom.

    5. I don't know about --src-range.

    -s = source / = -

    For the range of IP addresses from -, you can use -s or -s

    The rules I used are as follows:

    iptables -I FORWARD 1 -p tcp -s -d 0/0 -m mport --dports 22,25,80,110,443 -j ACCEPT
    iptables -I FORWARD 2 -p udp -s -d 0/0 --dport 53 -j ACCEPT
    iptables -I FORWARD 3 -p icmp -s -d 0/0 -j ACCEPT
    iptables -I FORWARD 4 -s -d 0/0 -j DROP
  3. peyton

    peyton LI Guru Member

    1. My mistake, i cut/paste and didn't check.
    It's 2.10-2.120.

    I'll try yours with appropriate ip range. Thanks!

Share This Page