Restrict admin access

Discussion in 'Tomato Firmware' started by rtv99, Mar 21, 2013.

  1. rtv99

    rtv99 Serious Server Member

    With the help from this thread I have configured a Linksys WRT54GL router with standard Tomato 1.28 firmware, as a simple access point. The last thing I need to a accomplish is restricting admin access to the router. Only one specific private IP address should be allowed to access the web interface and SSH server. The wireless clients should not be able to access either the web interface, SSH server or Telnet server no matter what their IP address is.

    I have tried to enter a specific IP address under Administration -> Admin Restriction -> Allowed IP address but I'm still able to connect with any IP address.

    This is the output of iptables -L -v
    Chain INPUT (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 DROP       0    --  any    any     anywhere             anywhere            state INVALID
     2263  231K ACCEPT     0    --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
      153  9349 ACCEPT     0    --  br0    any     anywhere             anywhere
        0     0 ACCEPT     0    --  lo     any     anywhere             anywhere
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460
    Chain OUTPUT (policy ACCEPT 2558 packets, 1548K bytes)
     pkts bytes target     prot opt in     out     source               destination
    The solution is probably to create a custom iptables rule and add it to the firewall script, but I'm not sure on the correct syntax of the rule?

    I have made sure that the checkbox Allow Wireless Access under Administration -> Admin Restriction -> Web Admin is unchecked. Is there any way I can confirm this setting via SSH access? as I don't have any wireless clients to test with yet.

    Thanks in advance.
  2. gfunkdave

    gfunkdave LI Guru Member

    Try this...

    iptables -I INPUT 7 -p udp -m multiport --dports 53,67 -j ACCEPT  # always allow DHCP and DNS service
    iptables -I INPUT 8 -s <permitted IP> -d <router IP> -j ACCEPT # always allow the permitted IP to access the router on all ports
    iptables -I INPUT 9 -d <router IP> -j DROP # kill any non-DNS, non-DHCP connections from non-permitted IP
  3. Monk E. Boy

    Monk E. Boy Network Guru Member

    You could also have an iptable rule on input that allows access on ports 22, 23, 80, and 443 from the administration system and another that denies access to ports 22, 23, 80, 443 from any other system.

    Off the top of my head that'd mean:
    iptables -I INPUT -d <router ip> -m multiport --dports 22,23,80,443 -j DROP
    iptables -I INPUT -s <permitted ip> -d <router ip> -m multiport --dports 22,23,80,443 -j ACCEPT

    Though since they're off the top of my head I haven't verified if the syntax is correct, sorry.
    koitsu likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice