Access Restrictions to only allow http

Discussion in 'Tomato Firmware' started by dsm1212, Oct 3, 2007.

  1. dsm1212

    dsm1212 LI Guru Member

    Just switched to Tomato. The access restrictions only seem to be subtractive. How can I set a system to only allow a few things (80, 443)? I want this system to only get access to a few things like HTTP and AIM. The access restriction mechanism in tomato seems to not make this very easy. Can I do multiple port ranges on a single restriction like "0-79 81-442 444-65535"?

  2. pharma

    pharma Network Guru Member

  3. dsm1212

    dsm1212 LI Guru Member

    That just shows how to lock systems out completely. I guess I can put in a set of blocking rules for the port ranges that exclude the couple of ports I want to let them use. Can I enter multiple port ranges in one entry?


  4. nassarp

    nassarp LI Guru Member

    The tomato firmware QoS setting is best suited for this. Click QoS and enable it.
    After prefer Highest preference to ports 80 and 443. Balance all ports include in
    class "E" category. It works fine
    Nassar Puzhakkathodi
  5. u3gyxap

    u3gyxap Network Guru Member

    For a complete solution:
    1. Disable uPNP
    2. Use this as a firewall script in Administration --> Scripts:

    iptables -D FORWARD 7
    iptables -D FORWARD 1
    iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT
    iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT
    iptables -A FORWARD -p tcp --destination-port 53 -j ACCEPT
    iptables -A FORWARD -p udp --destination-port 53 -j ACCEPT
    iptables -A FORWARD -j DROP

    53 you need for DNS.
    Now you only have web browsing and nothing else. Literally.
    Tell us what happens if you decide to you use it.
  6. dsm1212

    dsm1212 LI Guru Member

    Cool. THanks for the suggestions. I'll play around with it this weekend and let you know how I make out.


  7. dsm1212

    dsm1212 LI Guru Member

    Well, the iptables settings seemed to work with a few tweaks, but it was so heavy-handed that some other things on the system were impacted. Like the virus-scanner getting updates. So I just went back to the tomato ui and blocked 1024-65535 on school nights from the kid's computers. That seems to work fine and not interfere with normal operations. Thanks for the help!

  8. u3gyxap

    u3gyxap Network Guru Member

    Some antivirus software uses ftp. For that you need to add ports 20 and 21 with iptables.
  9. scuba_steve

    scuba_steve LI Guru Member

    Just curious...what types of applications are you tying to block? Video games? In our house, it's myspace and facebook that challenge us. In fact, that's why I ended up installing Tomato - for the improved access restrictions. :thumbup:
  10. Mastec

    Mastec Network Guru Member

    OH YEA... Can't beat the power of Access Restrictions in Tomato. My kids hate Tomato :thumbup: :biggrin:
  11. dsm1212

    dsm1212 LI Guru Member

    In my case, it's online games like counterstrike and guild wars. My kids all listen pretty well, but this prevents me having to remind them :).

  12. kcallis

    kcallis Network Guru Member

    Actually, I am trying to do the opposite... On school night S-Th, I want to block access to 80,443 and allow for my P2P to continue. I have blocked src and des 80,443 between the hours of 10P-7A, and let if I log into the box, I can still use lynx to go to whatever website.

    *** Resolved

    I had not realized that when I was testing my school night access restriction, that it was Saturday night, as opposed to it being Sunday night. Just tested the policy, and it is working nicely!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice