1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Setting up a WiFi Guest Network - need some IPTables advice

Discussion in 'Tomato Firmware' started by BikeHelmet, Aug 30, 2013.

  1. BikeHelmet

    BikeHelmet Networkin' Nut Member

    Hi all,

    I'm setting up a wireless guest network, and could use some advice. First, what I've accomplished - I found these two iptables blocks, which prevent access to the router from the guest network. I just have to pick/use only one of them.

    Code:
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
    
    iptables -I INPUT 7 -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I INPUT 8 -i br1 -d 192.168.1.1 -j DROP
    iptables -I INPUT 9 -i br1 -d 192.168.0.1 -j DROP
    http://www.linksysinfo.org/index.ph...ss-to-web-ui-on-guest-wifi.68385/#post-225899

    I believe it might be possible to alter the second one to this? Is this correct?

    Code:
    iptables -I INPUT -i br1 -d 192.168.0.1 -j DROP
    iptables -I INPUT -i br1 -d 192.168.1.1 -j DROP
    iptables -I INPUT -p udp -m multiport --dports 53,67 -j ACCEPT
    
    Next step is, I may have to disable cross-subnet communication. If necessary, I do that with these?
    Code:
    iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
    Final step, which I need advice on from an iptables guru...


    How do I disable outgoing access to everything for br1 and then allow only specific ports? I'm thinking of these ones...

    80,443 (HTTP/HTTPS)
    37,123 (Time/NTP)
    5060,5061 (VOIP/SIP)
    25,110,143,220,465,585,587,993,995,2525 (Email)

    No port 53 (DNS) because the router intercepts and handles that.

    I've been searching Google for a while now to figure this out, and although I'm slowly making progress, I thought maybe a guru could save me some time if I provided all the ports and an explanation of what I'd like to do?

    Cheers. Hope one of you can help. :)

    -BikeHelmet

    Edit:
    If I could rate limit Email that'd be even better - limit it to maybe ~5 connections at once per client. (I've seen it mentioned that this is important for outgoing SMTP - is this correct?)

    I found this somewhere:
    Code:
    iptables -I FORWARD -p tcp -s 10.10.20.0/24 -m connlimit --connlimit-above 50 -j DROP
    iptables -I FORWARD -p ! tcp -s 10.10.20.0/24 -m connlimit --connlimit-above 25 -j DROP
    It applies to everything rather than just specific ports, but that would probably do the job...
     
    Last edited: Aug 30, 2013
  2. GhaladReam

    GhaladReam Network Guru Member

    This has been working for me for some time now:

    Code:
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
    The first line blocks all software running on the router when connected to the guest br1 VLAN (this includes the web interface, SSH, Telnet etc)

    The second line allows through ports 53 and 76 for DNS and DHCP, which are 2 services I want br1 to have access to.
     
  3. BikeHelmet

    BikeHelmet Networkin' Nut Member

    Yes, that's the one that I settled on as well. I was just editing the second one and asking about it to see if I did it correctly. The last half of my post is the most important part, and requires a guru. :)

    Edit:

    Okay, this is what I've come up with:
    Code:
    iptables -I FORWARD -d br1 -j DROP
    iptables -I FORWARD -d br1 -p udp -m multiport --dports 37,123 -j ACCEPT
    iptables -I FORWARD -d br1 -m multiport --dports 5060,5061 -j ACCEPT
    iptables -I FORWARD -d br1 -p tcp -m multiport --dports 25,110,143,220,465,585,587,993,995,2525 -j ACCEPT
    iptables -I FORWARD -d br1 -p tcp -m multiport --dports 80,443 -j ACCEPT
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
    
    If I understand this correctly, INPUT refers to the destination being the router, OUTPUT refers to the source being the router.

    PREROUTING and POSTROUTING might be useful, but the descriptions say that they are for "altering" packets?

    FORWARD is for all packets being routed through the router, which seems to be perfect, so I selected it for the rules. Does this look correct? Before I go and mess up my router and have to reset anything, can anyone spot any issues?

    If I understand the order correctly, it goes from top to bottom, inserting rules at the top - so the final rules should look like...

    1) Drop communication between br0 and br1
    2) Accept DHCP and DNS traffic to router from br1
    3) Deny all traffic to router from br1
    4) Accept HTTP/HTTPS ports to br1
    5) Accept POP/IMAP/SMTP ports to br1
    6) Accept VOIP/SIP ports to br1
    7) Accept NTP/TIME ports to br1
    8) Drop all traffic to br1

    Did I miss anything or mess anything up? The next step I suppose is to add those connection limits that I wanted...
     
    Last edited: Aug 31, 2013

Share This Page