Help firewalling WAN2 traffic in FreshTomato with iptables

Discussion in 'Tomato Firmware' started by ElementOmicron, Apr 13, 2019.

  1. ElementOmicron

    ElementOmicron Connected Client Member

    I need help setting up iptables to limit traffic for a single IP to go through WAN2 on my LAN. This started here but now that I got it working - I have no idea how to do iptables.

    So first my configuration:

    LAN: br0 (LAN) - 192.168.1.1/24

    WAN - Comcast IP
    Load balanced weight: 256

    WAN2: 10.1.1.110 (it's getting a DHCP IP from my work through a VPN device which uses WAN to connect)
    Load balanced weight: 1

    And it gets via DHCP: Gateway: 10.1.1.1

    Static Route: Destination: 10.0.0.0
    Gateway: 10.1.1.1
    Subnet: 255.0.0.0
    Metric: 1
    Interface: WAN2

    Now what this allows is for all traffic to go through my WAN unless it's meant for 10.0.0.0 in which case it goes through WAN2. What I would like is a iptables rule to allow ONLY 192.168.1.30 (my laptop) to be able to utilize WAN2.

    Also since it's load balancing WAN2 and WAN with weights (although WAN2 relies on WAN to connect the VPN), is it possible for it to use WAN2 in the event that WAN can't be reached (not desired, just asking if that's possible to occur)? Is there a iptable rule or something to block that as well? I don't think it's a huge issue since the VPN device requires WAN to connect but still.
     
  2. Sean B.

    Sean B. Network Guru Member

    Code:
    iptables -t filter -I FORWARD 1 -o XXX ! -s 192.168.1.30 -j DROP
    Where XXX is the wan2 interface. I don't use multiwan so not sure what convention it uses for names, but for instance non multiwan interface to use for that rule would be vlan2. The rule will drop any packets attempting to exit the wan2 interface that do not come from the 192.168.1.30 IP address.
     
  3. ElementOmicron

    ElementOmicron Connected Client Member

    Thanks a bunch! I tried the following

    WORK_WAN="WAN2"

    iptables -t filter -I FORWARD 1 -o WORK_WAN ! -s 192.168.1.30 -j DROP

    and it did not work so I looked at my VLAN page:


    [​IMG]

    and tried

    WORK_WAN="VLAN6"

    iptables -t filter -I FORWARD 1 -o WORK_WAN ! -s 192.168.1.30 -j DROP

    and it worked as expected. Thanks again!
     
  4. ElementOmicron

    ElementOmicron Connected Client Member

    Is there a way I can set a rule so that 192.168.1.30 can go nowhere besides 10.0.0.0 using WAN2? I think that would stop the problem of the WAN load balancing.
     
  5. ElementOmicron

    ElementOmicron Connected Client Member

    Also how would the rule look if I wanted to do multiple IP's? I assume I would put in the rules for IP's individually and then just do a "anything else, drop"? But now sure how that would look. Would this be right?

    iptables -t filter -I FORWARD 1 -o WORK_WAN -s 192.168.1.30 -j ACCEPT
    iptables -t filter -I FORWARD 1 -o WORK_WAN -s 192.168.1.31 -j ACCEPT
    iptables -t filter -I FORWARD 1 -o WORK_WAN -j DROP #Do this one last
     
  6. Sean B.

    Sean B. Network Guru Member

    Code:
    iptables -t filter -I FORWARD 1 -o vlan6 -s 192.168.1.30 -d 10.1.1.0/24 -j ACCEPT
    iptables -t filter -I FORWARD 2 -o vlan6 -j DROP
    If the IPs you wish to allow are contigous, then you can do like so:
    Code:
    iptables -t filter -I FORWARD 1 -o vlan6 -m iprange --src-range 192.168.1.30-192.168.1.31 -j ACCEPT
    iptables -t filter -I FORWARD 2 -o vlan6 -j DROP
    If they aren't, then the format you stated is the way to go.

    Putting both together:
    Code:
    iptables -t filter -I FORWARD 1 -o vlan6 -m iprange --src-range 192.168.1.30-192.168.1.31 -d 10.1.1.0/24 -j ACCEPT
    iptables -t filter -I FORWARD 2 -o vlan6 -j DROP
     
  7. ElementOmicron

    ElementOmicron Connected Client Member

    Awesome! This is working good and now I don't have to worry about the WAN failover. Last question (sorry - keep thinking things up) - do you know if the WAN firewall would block connections FROM 10.0.0.0 --> my router? Or should I set up a iptables rule to block new connections from there? If so how would I do that?

    Thanks for everything! I owe ya a beer :)
     
    Sean B. likes this.
  8. Sean B.

    Sean B. Network Guru Member

    Being over a VPN, it will depend on the VPN configuration. While firewall rules by default block non related or established incoming connections from the WAN, a VPN is an already established connection and incoming connections from the other side are coming in through the tunnel. You'd have to test by attempting a connection from your work side, but I believe they should be blocked.
     
    Last edited: Apr 18, 2019 at 3:05 AM
  9. ElementOmicron

    ElementOmicron Connected Client Member

    Ok but in my case the VPN us already established and then it's just handing an IP to WAN2; the router doesn't know it's a VPN connection. So I *think* I should be fine (?). In any case I don't even know how to test connections due to the way it would NAT so - maybe I'll just leave it at that.

    Thanks again for all your help!
     
  10. Sean B.

    Sean B. Network Guru Member

    Then yes, if an external VPN connection is handing the WAN an IP ( DHCP or static ) in the same fashion a modem would rather than the router being the VPN client, incoming traffic will be blocked unless it's related to a previous outgoing or established connection.

    You're welcome.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice