need help writing script for firewall in tomato

Discussion in 'Tomato Firmware' started by Zereth, Jan 26, 2012.

  1. Zereth

    Zereth Networkin' Nut Member

    i have tryed following many iptable tutorials for creating my own scripts but i am completely confused by them all. what i need to acheive is blocking all udp connections within an iprange from outside my network from connecting to a specific port inside my network. i need a simple script, preferably one i can copy and paste repeatedly that will automatically run in sequence. i want to be able to block additional ipranges in the future with a simple copy and paste only having to change the iprange variables

    i had been trying something like this but it does not work correctly as the ipranges i have specified still connect to the port i have specified. any help is greatly appreciated.

    iptables -t nat -I PREROUTING -p udp -m iprange --src-range - --dport 4598 -j DROP
  2. shibby20

    shibby20 Network Guru Member

    iptables -I FORWARD 1 -p udp -s --dport 4598 -j DROP
  3. Zereth

    Zereth Networkin' Nut Member

    thanks for the help shibby. your code works great and i appreciate it greatly. im curious if you could explain breifly about how the code you supplied functions? are the packets dropped before or after routing? going out of my network or coming into it, or both? ideally i would like the packets to be dropped before entering my router at all which may actually be what the code you have supplied is doing. excuse my questions if they seem redundant as i am completely new to linux yet would like to have a basic understanding of what is actually occurring. thanks again as you've already been a huge help
  4. shibby20

    shibby20 Network Guru Member

    first is prerouting (pre = before routing). Then router decided is this package for himself (input/output) or from/for LAN (forward). Last is postrouting (post = after routing)
    Input, output and forward, those are our firewall chains. Because we want block packages to LAN we need add rule fo forward chain. We define -s (source) and dport (destination port) well this rule is blocking packages from host do our destination port 4598. If we want block packages from port 4598to hosts 82.... we have to use:
    iptables -I FORWARD 1 -p udp -d --sport 4598 -j DROP

    -d = destination
    --sport - source port.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice