restricting WAN IP range with one exception

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
ReliableRick
DD-WRT Novice


Joined: 26 Mar 2012
Posts: 3

PostPosted: Mon Mar 26, 2012 18:46    Post subject: restricting WAN IP range with one exception Reply with quote
Hi all.

Noob here.

This is most likely very simple but I have very little knowledge of scripting syntax for IP tables and I was hoping one of the guru's could shortcut me.

I am using a WAP to provide staff and guest access to wireless internet resources. Setup is as follows.

Main network is 10.252.121.x
- default gateway is .253 on above network.
- above network is static IP
- I have no access to above to make any changes
- The WAP is using 10.252.121.21/24 as static WAN IP

Staff network has been set at 10.0.0.x
- The LAN IP of the WAP is 10.0.0.1/24 with DHCP enabled and everythign works as required.

Guest network has been set to 10.0.1.x
- this has been set up on a VAP ath0.1
- it has been bridged (br1) according to one of the tutorials.
- Dhcp is enabled and is working
- I have iptables that prevent the guest network from seeing the LAN (10.0.0.x).

Here is my issue. I want to restrict the guest network from accessing 10.252.121.x but as it is where the default gateway resides I'm not sure how to go about it.

I am thinking I need to deny all traffic except port 80 for that ip range on br1. I would appreciate any help on how to express this correctly in the firewall.
Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sat Mar 31, 2012 22:34    Post subject: Reply with quote
From my guide:

Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)

iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ReliableRick
DD-WRT Novice


Joined: 26 Mar 2012
Posts: 3

PostPosted: Mon Apr 02, 2012 12:33    Post subject: Reply with quote
Thanks phuzi0n.

I am out of town for a week but I will try it when I return.

Cheers.

phuzi0n wrote:
From my guide:

Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)

iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
ReliableRick
DD-WRT Novice


Joined: 26 Mar 2012
Posts: 3

PostPosted: Mon Apr 09, 2012 13:49    Post subject: test of Phuzi0n's solution Reply with quote
Here is my current ACL

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 'nvram get wan_ipaddr'/'nvram get wan_netmask' -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

I have added your line but I can still access a server on the WAN network IP range.

Are these in the correct order? I have heard this can affect the function. Also. the guest network only needs access to internet. can i restrict all traffic to port 80 only?

I appreciate your time spent on this phuzi0n.

phuzi0n wrote:
From my guide:

Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)

iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Mon Apr 16, 2012 0:14    Post subject: Reply with quote
That should work as long as the server is in the same subnet as the router's wan interface. If it's in another subnet then you can add a similar rule with the subnet specified.

Something like this will drop any non-tcp-port-80 traffic being routed from br1:

iptables -I FORWARD -i br1 -p ! tcp -j DROP
iptables -I FORWARD -i br1 -p tcp --dport ! 80 -j DROP

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum