limit access to webgui

Discussion in 'Tomato Firmware' started by Jefferson, Dec 29, 2017.

Tags:
  1. Jefferson

    Jefferson New Member Member

    I just installed AdvancedTomato yesterday on my Asus router. I want to restrict who has access to get to the web gui, either by MAC address or limiting it only to someone who is physically plugged into unit. I dont see anything in the menu items and wondering if this is possible.
     
  2. eibgrad

    eibgrad Network Guru Member

    Code:
    iptables -I INPUT -p tcp -i br0 --dport 80 -j REJECT
    iptables -I INPUT -p tcp -i br0 --dport 80 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
    iptables -I INPUT -p tcp -i br0 --dport 80 -m mac --mac-source YY:YY:YY:YY:YY:YY -j ACCEPT
    ...
    Specify your own MAC addresses and place the above in the firewall script.

    P.S. Just so you don't accidentally lock yourself out of the GUI, test it from a telnet/ssh session first. If if doesn't work, you can just reboot. Once working as you like it, *then* place it in the firewall script.
     
  3. Jefferson

    Jefferson New Member Member

    great. thank you very much for the reply. I'm assuming that i can put the mac address of the port on the router for access only via plugging in the wire
     
  4. eibgrad

    eibgrad Network Guru Member

    You can't solve this problem based on physical ports. At least not directly. The firewall knows nothing about physical ports. You can only manage it *indirectly* by assigning one or more physical ports to a new VLAN and assigning a different IP network (e.g., 192.168.2.0/24). Now you create firewall rules that deny access to any IP network *except* the one assigned to the new VLAN.

    So you've achieved the desired result based on IP network, not physical ports, but the effects are same since that IP network is only accessible via that port! That's what I mean by indirect.

    Personally I think that's more hassle than it's worth. But if you want to do it that way, you can. What I provided instead was rules that simply look at the incoming request (on the default network, br0), check the client's MAC address, and determine if that MAC address is authorized to access the GUI.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice