are these firewall scripts ok?

Discussion in 'Tomato Firmware' started by michse, Jul 6, 2008.

  1. michse

    michse Addicted to LI Member

    I play around with some script who stop the traffic between vlan2 (I take some ports in it). so wlan users are on br0 and could reach the internet. wlan/br0 should not reach vlan2 but for administrative things vlan2 have to reach some clients (other tomato routers). so my script is:

    #accept data from vlan2
    iptables -A INPUT -i vlan2 -j ACCEPT
    #accept new connections from vlan2 to wan port, not internet
    iptables -A FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
    #accept new conn. from vlan2 to internet
    iptables -A FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT
    #accept all traffic from vlan2 to br0 for management
    iptables -A FORWARD -i vlan2 -o br0 -j ACCEPT
    #accept answering packets from conn. the rule allowed above
    iptables -A FORWARD -i br0 -o vlan2 -m state --state RELATED,ESTABLISHED -j ACCEPT
    #all other packets from br0 are droped
    iptables -A FORWARD -i br0 -o vlan2 -j DROP
    #allow to reach the modem at wan port (don't know yet, what this do, yust copied)
    iptables -A POSTROUTING -t nat -o vlan1 -d -j MASQUERADE

    some wrong things in it, or somebody have better ideas?

    thank you

  2. mstombs

    mstombs Network Guru Member

    Well, you are the best person to test!

    Do check what the full ruleset looks like with "iptables -L -vn" and "iptables -L -vn -t nat". I note you are Adding all the new rules which means that existing standard rules take precedence. Also not sure if you need to add rules to PREROUTING (INPUT is only for connections to the router).
  3. michse

    michse Addicted to LI Member

    Thanks mstombs for answering. I reed your post severall times and do think about it. "A" means, the original rules still work and when they hit, my rules are not used. If I use "I" only my rules work, ok? but which original rules are turned off?

    Postrouting is only to reach the modem. I reed this somewhere in a forum (dd-wrt?).

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice