Posted: Mon Mar 26, 2012 18:46 Post subject: restricting WAN IP range with one exception
Hi all.
Noob here.
This is most likely very simple but I have very little knowledge of scripting syntax for IP tables and I was hoping one of the guru's could shortcut me.
I am using a WAP to provide staff and guest access to wireless internet resources. Setup is as follows.
Main network is 10.252.121.x
- default gateway is .253 on above network.
- above network is static IP
- I have no access to above to make any changes
- The WAP is using 10.252.121.21/24 as static WAN IP
Staff network has been set at 10.0.0.x
- The LAN IP of the WAP is 10.0.0.1/24 with DHCP enabled and everythign works as required.
Guest network has been set to 10.0.1.x
- this has been set up on a VAP ath0.1
- it has been bridged (br1) according to one of the tutorials.
- Dhcp is enabled and is working
- I have iptables that prevent the guest network from seeing the LAN (10.0.0.x).
Here is my issue. I want to restrict the guest network from accessing 10.252.121.x but as it is where the default gateway resides I'm not sure how to go about it.
I am thinking I need to deny all traffic except port 80 for that ip range on br1. I would appreciate any help on how to express this correctly in the firewall.
Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Posted: Mon Apr 09, 2012 13:49 Post subject: test of Phuzi0n's solution
Here is my current ACL
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 'nvram get wan_ipaddr'/'nvram get wan_netmask' -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
I have added your line but I can still access a server on the WAN network IP range.
Are these in the correct order? I have heard this can affect the function. Also. the guest network only needs access to internet. can i restrict all traffic to port 80 only?
I appreciate your time spent on this phuzi0n.
phuzi0n wrote:
From my guide:
Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
That should work as long as the server is in the same subnet as the router's wan interface. If it's in another subnet then you can add a similar rule with the subnet specified.
Something like this will drop any non-tcp-port-80 traffic being routed from br1:
iptables -I FORWARD -i br1 -p ! tcp -j DROP
iptables -I FORWARD -i br1 -p tcp --dport ! 80 -j DROP _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)