Iptables troubles

Discussion in 'Tomato Firmware' started by hunst, Mar 30, 2014.

  1. hunst

    hunst Networkin' Nut Member

    Hello everybody !

    I have some issues with using iptables.

    I currently have two separated vlans on my router. They're working as intended. I want to be able to let only one PC of a vlan to communicate with the other subnetwork.

    I added this command to the firewall script but it doesn't seem to work.
    iptables -I FORWARD -s -o vlan1 -j ACCEPT;

    Here are my vlan configs :


    Here is my full firewall script :

    iptables -I INPUT -i vlan3 -j ACCEPT;
    iptables -I FORWARD -i vlan3 -o vlan2 -m state --state NEW -j ACCEPT;
    iptables -I FORWARD -s -o vlan1 -j ACCEPT;
    iptables -I FORWARD -i vlan3 -o br0 -j DROP;

    Any ideas ?
  2. eibgrad

    eibgrad Network Guru Member

    Remember, unless numbered, the first inserted are the last evaluated. And given the FORWARD rules contain a DROP, that means the DROP between vlan3 and br0 will always be evaluated before any exceptions. It’s also unsafe to not include the network interface on your exceptions, otherwise someone could statically assign themselves an IP address that matches the other network. You probably want something more like this instead:

    iptables -I INPUT -i vlan3 -j ACCEPT
    iptables -I FORWARD 1 -i vlan3 -o vlan2 -m state --state NEW -j ACCEPT
    iptables -I FORWARD 2 -i vlan3 -s -o vlan1 -j ACCEPT
    iptables -I FORWARD 3 -i vlan3 -o br0 -j DROP
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice