1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Newb/IPTABLES] [Tomato Shibby 108 / WNR3500Lv2] Restricting VLAN access to 'web only'

Discussion in 'Tomato Firmware' started by Benjamin, Apr 19, 2013.

  1. Benjamin

    Benjamin Reformed Router Member

    Hi,

    I just installed Tomato (Shibby's 108) on my shiny new WNR3500Lv2 and successfully configured Virtual SSID and a VLAN in order to offer guest WLAN access. I wanted to restrict the guest access to "web-only" so this does not become a bandwidth hog/p2p access for the neighborhood.

    I use VLAN 3 with the virtual SSID, the VLAN is bridged to LAN1 (br1) and has IPs in 192.168.192.200 - 220 assigned via DHCP, I assigned port 4 also to this VLAN.

    When I connect to the port 4 or the guest wifi I get an IP in the correct range and can access the internet, which is fine. The problem now is that despite the following rules I can use other ports.

    Code:
    iptables -A INPUT -i br1 DROP
    iptables -A INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -A INPUT -i br1 -p tcp -m tcp --dport 80 -j ACCEPT
    iptables -A INPUT -i br1 -p tcp -m tcp --dport 443 -j ACCEPT
    
    I am no iptables expert, these rules were compiled from various source (including here) so there is a high probability that I screwed.
    From what I can understand (and what I would like to do) they should reject anything but DHCP, DNS HTTP and HTTPS, which is not the case currently.
    Where did I missed something ?
    (also as a side note I have PPTP-server enabled, could there be a link ?)
    Thx a lot
     
  2. philess

    philess Networkin' Nut Member

    I am no iptables guru either, but i would guess that the order of your rules is the cause. You should post a full list of all the rules so we can check at which point those new ones are sorted in (iptables --list).
     
  3. gfunkdave

    gfunkdave LI Guru Member

    The INPUT chain controls connections to the router, not via the router to the internet. For that, you want the FORWARDING chain.

    The way you have it set up, you're allowing connections TO THE ROUTER on ports 80, 443, and DHCP/DNS. So your guest wifi users will be able to access the router's web admin pages via http and https, get an IP address, and get DNS service - but that's all. It will have no effect on Internet access.

    Also, by Appending (-A) instead of Inserting (-I), you may be putting the rules too late in the chain to have any effect. The first matching rule dictates the response.

    Try this:

    Code:
    iptables -I INPUT -i br1 -j DROP
    iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I FORWARDING -i br1 -p udp -j DROP
    iptables -I FORWARDING -i br1 -p tcp -j REJECT --reject-with tcp-reset
    iptables -I FORWARDING -i br1 -p tcp -m multiport --dports 80,443 -j ACCEPT
    
    I think that'll work but haven't tried it myself. The first two rules refuse all connections to the router itself except for DHCP and DNS. The last three rules will cause the router to refuse to forward all UDP datagrams (very popular with torrenters) and reject all but http and https traffic.

    Note that a savvy torrenter can pretty easily get around this just by telling his torrent program to use port 80 or 443. It would probably be a good idea to implement either a bandwidth throttle on the br1 network or some kind of QOS rule to prohibit transferring more than a few megabytes per connection. I think Tomato has trouble doing QOS on any thing but the main br0 VLAN, so you may need to make br0 your guest network.

    Oh, and lastly, the order you and I gave is correct. As I recently learned in another thread, each time you Insert a rule it appears in the first line unless you specify otherwise. So a "backwards" order is the correct one in which to add new rules.

    Let us know how it works!
     
  4. koitsu

    koitsu Network Guru Member

    Note: do not let my question get the thread off track.

    gfunkdave -- INPUT is for inbound packets to the router, FORWARD is for outbound packets which were forwarded along to the default gateway (e.g. a packet from client 192.168.1.200 with a default gateway of 192.168.1.1 (router) would use FORWARD), and OUTPUT is what exactly? :) Traffic that originates from the router itself (not forwarded/NAT'd traffic), destined to somewhere (including its default gateway (e.g. an ISP, the Internet, etc.)) ?

    If that's what OUTPUT is: what's confusing to me is that post-NAT traffic would be coming from the router, thus would be subject to OUTPUT rules, just that the source address would be rewritten to have the WAN IP of the router (rather than the LAN IP of the client), and the source port number would also be rewritten (to be the associated NAT'd port translation).

    I gotta be missing some piece of the puzzle.
     
  5. Benjamin

    Benjamin Reformed Router Member

    Hi all, I just gave a try to gfunkdave's rules but I am still able to ssh from the guest WLAN to one of my remote machines (on default port 22) so it seems that it was unsuccessful. I have to add that to make sure that the config was clean I did a reset to factory settings, wiped the NVRAM and redid the config from scratch adding only the rules in gfunkdave's post.
    My ruleset looks like that :
    Code:
    Tomato v1.28.0000 MIPSR2-108 K26 USB AIO
    root@tomato:/tmp/home/root# iptables --list
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     udp  --  anywhere             anywhere            multiport dports domain,bootps 
    DROP       all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            state INVALID 
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    shlimit    tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW 
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:webcache 
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1723 
    ACCEPT     gre  --  anywhere             anywhere            
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
               all  --  anywhere             anywhere            account: network/netmask: 192.168.0.0/255.255.255.0 name: lan 
               all  --  anywhere             anywhere            account: network/netmask: 192.168.192.0/255.255.255.0 name: lan1 
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            state INVALID 
    TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
    L7in       all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    DROP       all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    wanin      all  --  anywhere             anywhere            
    wanout     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    upnp       all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain L7in (1 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto skypetoskype 
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto youtube-2012 
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto flash 
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto httpvideo 
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto rtp 
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto rtmp 
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto rtmpt 
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto shoutcast 
    RETURN     all  --  anywhere             anywhere            LAYER7 l7proto irc 
    
    Chain shlimit (1 references)
    target     prot opt source               destination         
               all  --  anywhere             anywhere            recent: SET name: shlimit side: source 
    DROP       all  --  anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source 
    
    Chain upnp (1 references)
    target     prot opt source               destination         
    
    Chain wanin (1 references)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp multiport dports sip:sip-tls,3478 
    ACCEPT     udp  --  anywhere             192.168.0.10        udp multiport dports sip:sip-tls,3478 
    ACCEPT     udp  --  anywhere             192.168.0.10        udp multiport dports 5004,10000,16 
    ACCEPT     tcp  --  anywhere             192.168.0.10        tcp dpt:5962 
    ACCEPT     udp  --  anywhere             192.168.0.10        udp dpt:5962 
    
    Chain wanout (1 references)
    target     prot opt source               destination         
    root@tomato:/tmp/home/root# 
    
    (Sorry for the lousy copy-paste job I'm currently on my iPad)

    Note : the 5 last rules are port redirections for SIP although I believe redirecting 5060 might be enough. I probably should dig more here, but that's off topic.

    It's strange that there is no reference to the added rules although they are visible in the firewall script, isn't it?
     
  6. koitsu

    koitsu Network Guru Member

    Please use iptables -L -n -v --line-numbers instead of just iptables -L (equivalent to iptables --list).

    Also, change the iptables rules from iptables -I FORWARDING to iptables -I FORWARD. I don't see the two FORWARD rules gfunkdave mentioned in your iptables output. Doing -I FORWARDING should have caused an error, so I'm not sure why you didn't see error output like this:

    Code:
    iptables: No chain/target/match by that name
    
     
  7. Benjamin

    Benjamin Reformed Router Member

    Hi all,

    First of all thanks for the help and the attention, I really appreciate the fact that you are all spending time helping me, I hope that I'll have the opportunity to help too.

    As a side note, and regarding bandwidth usage :

    I enabled limiter on br1 and it seems to be working (according to speedtest.net and youtube's speedtest). At least I can see a clear difference in the measurements between br0 and br1. Here's the config :​

    [​IMG]

    I am also aware of the fact that one could run services on http(s) ports in order to work around the filtering, but filtering is still better than nothing :rolleyes:. Also this is not an open network, and it will be monitored to prevent abuse.​
    The goal, here, is not to protect against hardcore pirates (someone with will and knowledge will get around pretty much anything) but to prevent friends/family that use the guest network and might have compromised machines to use all of the bandwidth or get me into troubles.​
    If you prefer I just want to make sure that the network stays usable for everyone (restricting to http/https might be overkill I agree).​

    Now, regarding the filtering, I just changed the rules to FORWARD, and now here's the result of koitsu's command, where we indeed have "state INVALID" twice.

    Code:
    root@tomato:/tmp/home/root# iptables -L -n -v --line-numbers
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    num  pkts bytes target    prot opt in    out    source              destination 
    1        0    0 ACCEPT    udp  --  br1    *      0.0.0.0/0            0.0.0.0/0          multiport dports 53,67
    2        0    0 DROP      all  --  br1    *      0.0.0.0/0            0.0.0.0/0   
    3        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    4    2262  420K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    5        2  128 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
    6        1  205 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0   
    7      474 39510 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0   
    8        0    0 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0   
    9        0    0 logaccept  icmp --  *      *      192.88.99.1          0.0.0.0/0   
    10      0    0 logaccept  41  --  *      *      0.0.0.0/0            0.0.0.0/0   
    11      0    0 logaccept  tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:8080
    12      28  1932 logaccept  udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:1610
    13    205 24449 logdrop    all  --  *      *      0.0.0.0/0            0.0.0.0/0   
    14      0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:1723
    15      0    0 ACCEPT    47  --  *      *      0.0.0.0/0            0.0.0.0/0   
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num  pkts bytes target    prot opt in    out    source              destination 
    1    14886 8704K            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.0.0/255.255.255.0 name: lan
    2        0    0            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.192.0/255.255.255.0 name: lan1
    3        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0   
    4        0    0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0   
    5      42  2148 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    6      442 25148 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    7    6676 1061K monitor    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0   
    8    14615 8688K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    9        0    0 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0   
    10      0    0 DROP      all  --  br1    br0    0.0.0.0/0            0.0.0.0/0   
    11      0    0 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0   
    12    229 13888 wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0   
    13    229 13888 logaccept  all  --  br0    *      0.0.0.0/0            0.0.0.0/0   
    14      0    0 logaccept  all  --  br1    *      0.0.0.0/0            0.0.0.0/0   
    15      0    0 upnp      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0   
     
    Chain OUTPUT (policy ACCEPT 1280 packets, 499K bytes)
    num  pkts bytes target    prot opt in    out    source              destination 
     
    Chain logaccept (11 references)
    num  pkts bytes target    prot opt in    out    source              destination 
    1      192 11648 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW limit: avg 1/sec burst 5 LOG flags 39 level 4 prefix `ACCEPT '
    2      257 15820 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0   
     
    Chain logdrop (2 references)
    num  pkts bytes target    prot opt in    out    source              destination 
    1      205 24449 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW limit: avg 1/sec burst 5 LOG flags 39 level 4 prefix `DROP '
    2      205 24449 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0   
     
    Chain logreject (0 references)
    num  pkts bytes target    prot opt in    out    source              destination 
    1        0    0 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          limit: avg 1/sec burst 5 LOG flags 39 level 4 prefix `REJECT '
    2        0    0 REJECT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          reject-with tcp-reset
     
    Chain monitor (1 references)
    num  pkts bytes target    prot opt in    out    source              destination 
    1        0    0 RETURN    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          WEBMON --max_domains 300 --max_searches 300
     
    Chain shlimit (1 references)
    num  pkts bytes target    prot opt in    out    source              destination 
    1        2  128            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
    2        0    0 logdrop    all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
     
    Chain upnp (1 references)
    num  pkts bytes target    prot opt in    out    source              destination 
    1        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.0.83        udp dpt:4500
    2        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.0.83        udp dpt:5353
     
    Chain wanin (1 references)
    num  pkts bytes target    prot opt in    out    source              destination 
    1        0    0 logaccept  tcp  --  *      *      0.0.0.0/0            192.168.0.10        tcp multiport dports 5060:5061,3478
    2        0    0 logaccept  udp  --  *      *      0.0.0.0/0            192.168.0.10        udp multiport dports 5060:5061,3478
    3        0    0 logaccept  udp  --  *      *      0.0.0.0/0            192.168.0.10        udp multiport dports 5004,10000,16
    4        0    0 logaccept  tcp  --  *      *      0.0.0.0/0            192.168.0.10        tcp dpt:5962
    5        0    0 logaccept  udp  --  *      *      0.0.0.0/0            192.168.0.10        udp dpt:5962
     
    Chain wanout (1 references)
    num  pkts bytes target    prot opt in    out    source              destination 
    
     
  8. gfunkdave

    gfunkdave LI Guru Member

    Yes, that's correct. And yeah, it's FORWARD not FORWARDING. :)

    We're bumping up against the limit of my knowledge here, so I don't know the answer to your second question. There is a separate nat table with its own PREROUTING, POSTROUTING, and OUTPUT chains. The manpage says it's consulted when a packet is encountered that creates a new connection. I don't understand why that's different than FORWARD in the filter table...I guess FORWARD is just for packets being routed from one interface to another in the same box, while NAT must be something more than merely forwarding packets.

    As for the OP's question...not sure why it isn't working. I just tried inserting the two TCP rules into my router (allow traffic on 80 and 443, reject others) and suddenly I couldn't access any websites in the web browser, but I could telnet to them on port 80 just fine. Clearly the browser is trying to make extra connections on ports besides 80 and 443...not sure why. And I don't know how to debug it.

    Code:
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1      228 12669 ACCEPT     tcp  --  any    any     anywhere             anywhere            multiport dports www,https
    2      225 13339 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset
    
    Any ideas, koitsu?
     
  9. koitsu

    koitsu Network Guru Member

    The rules the OP just provided here are still wrong. The FORWARD entries are still clearly missing. I don't know how/why this keeps getting overlooked.

    There are also not "multiple state INVALID entries" -- the person is reading it/interpreting it wrong (there is one rule for this under the INPUT chain, and another under the FORWARD chain). Those rules are also irrelevant to the discussion -- please stay focused.

    I recommend rebooting the router (which should clear all the rules to defaults, barring any modifications you made to the Scripts section) and starting fresh.

    The OP needs to start providing full output from his CLI sessions as well. Reboot the router. telnet to it (do not use the GUI for this right now!) and issue the commands gfunkdave gave you. Then use iptables -L -n -v --line-numbers. Then provide the entire output of your telnet session here in a code block (this will contain all the commands you typed, and the output). Do not edit your post -- it will mess up the formatting of spaces in a code block (this is a forum software bug).
     
  10. Benjamin

    Benjamin Reformed Router Member

    Hi all,

    Sorry for the delay, this week was Belgium's "Summer Week" (no rain), so I tried to enjoy while it lasted. Now that winter is back, I'm back to router-related stuff.


    So, I cleared NVRam, manually re-made a clean config (identical to what I announced before, but without VPN for now) and finally ssh'd to the router, here's the result of the ssh session :

    Code:
    Tomato v1.28.0000 MIPSR2-108 K26 USB AIO
    root@strax:/tmp/home/root# iptables -I INPUT -i br1 -j DROP
    root@strax:/tmp/home/root# iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
    root@strax:/tmp/home/root# iptables -I FORWARD -i br1 -p udp -j DROP
    root@strax:/tmp/home/root# iptables -I FORWARD -i br1 -p tcp -j REJECT --reject-with tcp-reset
    root@strax:/tmp/home/root# iptables -I FORWARD -i br1 -p tcp -m multiport --dports 80,443 -j ACCEPT
    root@strax:/tmp/home/root# iptables -L -n -v --line-numbers
    Chain INPUT (policy DROP 32 packets, 2879 bytes)
    num  pkts bytes target    prot opt in    out    source              destination       
    1        0    0 ACCEPT    udp  --  br1    *      0.0.0.0/0            0.0.0.0/0          multiport dports 53,67
    2        0    0 DROP      all  --  br1    *      0.0.0.0/0            0.0.0.0/0         
    3        1    40 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    4      700 77491 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    5        1    64 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
    6        0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
    7      101 10969 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0         
    8        0    0 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0         
    9        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:8080
    10      0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num  pkts bytes target    prot opt in    out    source              destination       
    1        0    0 ACCEPT    tcp  --  br1    *      0.0.0.0/0            0.0.0.0/0          multiport dports 80,443
    2        0    0 REJECT    tcp  --  br1    *      0.0.0.0/0            0.0.0.0/0          reject-with tcp-reset
    3        0    0 DROP      udp  --  br1    *      0.0.0.0/0            0.0.0.0/0         
    4    2682 1104K            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.0.0/255.255.255.0 name: lan
    5        0    0            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.192.0/255.255.255.0 name: lan1
    6        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0         
    7        0    0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0         
    8      28  1432 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    9      168  9892 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    10    2537 1093K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    11      0    0 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0         
    12      0    0 DROP      all  --  br1    br0    0.0.0.0/0            0.0.0.0/0         
    13      0    0 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0         
    14    117  8846 wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0         
    15    117  8846 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0         
    16      0    0 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0         
     
    Chain OUTPUT (policy ACCEPT 144 packets, 13465 bytes)
    num  pkts bytes target    prot opt in    out    source              destination       
     
    Chain shlimit (1 references)
    num  pkts bytes target    prot opt in    out    source              destination       
    1        1    64            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
    2        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
     
    Chain wanin (1 references)
    num  pkts bytes target    prot opt in    out    source              destination       
    1        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.0.10        tcp multiport dports 5060:5061,3478
    2        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.0.10        udp multiport dports 5060:5061,3478
    3        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.0.10        tcp dpt:5962
    4        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.0.10        udp dpt:5962
    5        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.0.10        udp multiport dports 5004,10000
     
    Chain wanout (1 references)
    num  pkts bytes target    prot opt in    out    source              destination       
    root@strax:/tmp/home/root# date
    Fri Apr 26 18:37:09 CEST 2013
    no error message while applying rules, but still invalid rules at the end... I don't get where the invalid rules come from if there's no other error :(
     

Share This Page