1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables script

Discussion in 'Tomato Firmware' started by peyton, Mar 20, 2009.

  1. peyton

    peyton LI Guru Member

    Hi,
    I'm not very familiar with iptables and i want your advices.
    I tried to block all P2P within tomato GUI but it's not working. Torrent seems to be blocked but some users can download with limewire so i decide to do a whitelist port but i'm not really sure of it !
    Code:
    iptables -I FORWARD -p tcp --src-range 192.168.2.10-192.168.80.120 -m mport --dports 21,25,80,110,143,443,465,993,995 -j ACCEPT
    
    iptables -I FORWARD -p udp --src-range 192.168.2.10-192.168.80.120 --dport 53 -j ACCEPT
    
    iptables -I FORWARD -p icmp --src-range 192.168.2.10-192.168.80.120 -j ACCEPT
    
    iptables -I FORWARD --src-range 192.168.2.10-192.168.80.120 -j DROP
    As you can guess my range is from 10 to 120 and i'll only allow http/s,smtp/s,pop/s,ftp,imap/s and dns

    Do i have to put a destination or it's not necessary ?
     
  2. jza80

    jza80 Network Guru Member

    1. Did you fat finger the IP addresses in your post? 192.168.2.10-192.168.80.120 should be 192.168.2.10-192.168.2.120.

    2. FTP uses 2 ports (20 and 21). One for data and another for control.

    I didn't have any luck getting FTP to work, so I used SFTP which uses TCP port 22.

    3. Not sure if its necessary to specify a destination, but I did when I was playing with firewall rules. -d 0/0 in my rules below = destination any/any.

    4. You'll want to place a number after the FORWARD in the rules, so the rules get inserted (-I) in order. The rules are checked from top to bottom.

    5. I don't know about --src-range.

    -s 172.25.25.0/29 = source 172.25.25.0 / 255.255.255.248 = 172.25.25.1 - 172.25.25.6.

    For the range of IP addresses from 192.168.2.10 - 192.168.2.120, you can use -s 192.168.2.0/25 or -s 192.168.2.0/24.
    .
    .

    The rules I used are as follows:

    iptables -I FORWARD 1 -p tcp -s 172.25.25.0/29 -d 0/0 -m mport --dports 22,25,80,110,443 -j ACCEPT
    iptables -I FORWARD 2 -p udp -s 172.25.25.0/29 -d 0/0 --dport 53 -j ACCEPT
    iptables -I FORWARD 3 -p icmp -s 172.25.25.0/29 -d 0/0 -j ACCEPT
    iptables -I FORWARD 4 -s 172.25.25.0/29 -d 0/0 -j DROP
     
  3. peyton

    peyton LI Guru Member

    1. My mistake, i cut/paste and didn't check.
    It's 2.10-2.120.

    I'll try yours with appropriate ip range. Thanks!
     

Share This Page