1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Steps to block single IP/Port?

Discussion in 'Tomato Firmware' started by jsmiddleton4, Apr 11, 2009.

  1. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Just checking on the steps to block one port/ip address in Tomato's setup. Need to block this: on port 443

    What do I do?
  2. jsmiddleton4

    jsmiddleton4 Network Guru Member

    This looks harder than I originally thought. I looked and don't see any easy way to create a firewall rule to block this ip/port. I'm guessing it needs to be a script?
  3. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Found this suggestion-still want to block the port....

    iptables -I FORWARD -d -j DROP
  4. jsmiddleton4

    jsmiddleton4 Network Guru Member

    ? This ?

    iptables -A INPUT -s -p tcp 443 -j DROP
  5. phuque99

    phuque99 LI Guru Member

    The "INPUT" chain blocks traffic "into" and destined for your router. The FORWARD chain blocks routed traffic through your router.
  6. jsmiddleton4

    jsmiddleton4 Network Guru Member

    iptables -A FORWARD -s -p tcp 443 -j DROP

    So use this in the firewall script?
  7. gijs73

    gijs73 LI Guru Member


    iptables -I FORWARD 1 -d -p tcp --dport 443 -j REJECT --reject-with tcp-reset

    you want to block the destination, not the source and you must use --dport (destination port) in your syntax. You may also want to reject the packet with a tcp reset, so the client doesn't 'hang' - waiting for a timeout.

    You also need to insert the rule as rule number one, because otherwise the rule doesn't match anything, because its at the end of the FORWARD chain.

    edit: this all should be possible within the Tomato GUI (Access Restriction). Did you try that?
  8. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Thanks. I didn't see a way to do this with the access restriction page. I will look again. Have a home theater receiver that also has the ability to access Rhapsody to stream music. I don't want Rhapsody and won't use it. However the way the receiver works is periodically it will hit Rhapshody to see "just in case" I've requested something.
  9. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I can see how I block a dst port, even set the ip address of the device that I want to block, where do I put in the destination ip address I want to block? HTTP request window? How does Tomato know that is a destination IP?
  10. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I've looked at the FAQ's, etc., and I'm sorry but I don't quite see the steps in terms of using access restrictions as to how to block an outbound or destination request from a client in my network to an outside IP/Port with Access Restrictions. Seems to me that its a little too unintuitive or something. Maybe its a little harder than it needs to be?

    Here is what I'm trying to block access to from my receiver that is a client on my internal network.
    Record Type: IP Address

    OrgName: RealNetworks, Inc.
    OrgID: REAL
    Address: 2601 Elliott Avenue
    City: Seattle
    StateProv: WA
    PostalCode: 98121
    Country: US

    NetRange: -
    NetHandle: NET-207-188-0-0-1
    Parent: NET-207-0-0-0-0
    NetType: Direct Allocation
    RegDate: 1999-02-22
    Updated: 2001-06-20

    RTechHandle: IR57-ARIN
    RTechName: RealNetworks, Inc.
    RTechPhone: +1-206-892-6737
    RTechEmail: net-admin@real.com

    OrgTechHandle: GNET-ARIN
    OrgTechName: GIO - Network Engineering Team
    OrgTechPhone: +1-206-674-2700
    OrgTechEmail: gio-ne@real.com
  11. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Using access restrictions and what appeared to be the right information for blocking the destination web site/port I also could not access the firmware update server for the receiver. In other words it appears all destination requests were being blocked. Deleted my rule, rebooted router, my receiver accessed the firmware update server perfectly.

    So this firewall rule....

    iptables -I FORWARD 1 -d -p tcp --dport 443 -j REJECT --reject-with tcp-reset

    Is it 2 -- in front of --dport? And I'm not sure is the --reject just for information or does that need to be part of the firewall script rule?
  12. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Any additional information sure would be appreciated.

Share This Page