Author
Message
baudm DD-WRT Novice Joined: 04 Nov 2008 Posts: 5
Posted: Tue Nov 04, 2008 16:54 Post subject: Access Restrictions: Blocked Services
This is mostly a reply to soulstace's reply in this thread (since this is off-topic already).
soulstace wrote: Ports above 1023 are still used for incoming connections, even if you are just browsing the net over HTTP. That's why you never see SYN/ACK back (except for things like DNS which use low numbered ports)
Were you referring to the source ports used by the clients? If so, then does this mean that the ports in the Blocked Services pertain to the clients' source (outgoing) ports and not to the destination port?
My settings worked well for the original Linksys firmware and I thought it would be just the same for DD-WRT, but apparently, it's not. That is, block all outbound connections to ports 1024 and higher . How do I do it via DD-WRT then? The Catch all P2P Protocols option doesn't seem to work either.
I hope somebody can help me on this because I can't figure out how to do it in DD-WRT.
(And yes, I've already read the wiki about Access Restrictions and already have experience with it using the Linksys firmware, which has a similar interface)
Back to top
Sponsor
soulstace DD-WRT Guru Joined: 04 Aug 2007 Posts: 6427
Posted: Tue Nov 04, 2008 18:40 Post subject:
Hi,
You're correct, I was referring to the source ports.
It sounds to me like DD-WRT's Access Restrictions was blocking the source ports as well as destination ports. If that's the case, you can workaround the problem by writing your own iptables rules.
e.g.
iptables -I FORWARD -p tcp -m state --state NEW --dport 1024:65535 -j DROP
What is the output of iptables -L --line-numbers
Back to top
baudm DD-WRT Novice Joined: 04 Nov 2008 Posts: 5
Posted: Tue Nov 04, 2008 20:32 Post subject:
Code: Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
2 DROP udp -- anywhere anywhere udp dpt:route
3 DROP udp -- anywhere anywhere udp dpt:route
4 ACCEPT udp -- anywhere anywhere udp dpt:route
5 DROP icmp -- anywhere anywhere
6 DROP igmp -- anywhere anywhere
7 ACCEPT 0 -- anywhere anywhere state NEW
8 logaccept 0 -- anywhere anywhere state NEW
9 DROP 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT 0 -- anywhere anywhere
2 logdrop 0 -- anywhere anywhere state INVALID
3 TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
4 lan2wan 0 -- anywhere anywhere
5 ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
6 DROP tcp -- anywhere anywhere tcp dpt:1723
7 DROP udp -- anywhere anywhere udp dpt:1701
8 DROP udp -- anywhere anywhere udp dpt:500
9 ACCEPT tcp -- anywhere 192.168.1.4 tcp dpt:13579
10 ACCEPT tcp -- anywhere 192.168.1.2 tcp dpts:50000:50001
11 ACCEPT udp -- anywhere 192.168.1.2 udp dpts:50000:50001
12 ACCEPT tcp -- anywhere 192.168.1.4 tcp dpts:38101:38125
13 ACCEPT udp -- anywhere 192.168.1.4 udp dpts:6800:6899
14 ACCEPT tcp -- anywhere 192.168.1.4 tcp dpts:bbs:7040
15 TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
16 trigger_out 0 -- anywhere anywhere
17 ACCEPT 0 -- anywhere anywhere state NEW
18 DROP 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain advgrp_1 (10 references)
num target prot opt source destination
1 DROP tcp -- anywhere anywhere tcp dpts:1024:5049
2 DROP udp -- anywhere anywhere udp dpts:1024:5049
3 DROP tcp -- anywhere anywhere tcp dpts:5051:65535
4 DROP udp -- anywhere anywhere udp dpts:5051:65535
5 DROP tcp -- anywhere anywhere ipp2p v0.8.2 --ipp2p
Chain advgrp_10 (0 references)
num target prot opt source destination
Chain advgrp_2 (0 references)
num target prot opt source destination
Chain advgrp_3 (0 references)
num target prot opt source destination
Chain advgrp_4 (0 references)
num target prot opt source destination
Chain advgrp_5 (0 references)
num target prot opt source destination
Chain advgrp_6 (0 references)
num target prot opt source destination
Chain advgrp_7 (0 references)
num target prot opt source destination
Chain advgrp_8 (0 references)
num target prot opt source destination
Chain advgrp_9 (0 references)
num target prot opt source destination
Chain grp_1 (1 references)
num target prot opt source destination
1 advgrp_1 0 -- 192.168.1.3 anywhere
2 advgrp_1 0 -- anywhere 192.168.1.3
3 advgrp_1 0 -- 192.168.1.5 anywhere
4 advgrp_1 0 -- anywhere 192.168.1.5
5 advgrp_1 0 -- 192.168.1.6 anywhere
6 advgrp_1 0 -- anywhere 192.168.1.6
7 advgrp_1 0 -- 192.168.1.50 anywhere
8 advgrp_1 0 -- anywhere 192.168.1.50
9 advgrp_1 0 -- 192.168.1.51 anywhere
10 advgrp_1 0 -- anywhere 192.168.1.51
Chain grp_10 (0 references)
num target prot opt source destination
Chain grp_2 (1 references)
num target prot opt source destination
Chain grp_3 (1 references)
num target prot opt source destination
Chain grp_4 (1 references)
num target prot opt source destination
Chain grp_5 (0 references)
num target prot opt source destination
Chain grp_6 (0 references)
num target prot opt source destination
Chain grp_7 (0 references)
num target prot opt source destination
Chain grp_8 (0 references)
num target prot opt source destination
Chain grp_9 (0 references)
num target prot opt source destination
Chain lan2wan (1 references)
num target prot opt source destination
1 grp_1 0 -- anywhere anywhere
2 grp_2 0 -- anywhere anywhere
3 grp_3 0 -- anywhere anywhere
4 grp_4 0 -- anywhere anywhere
Chain logaccept (1 references)
num target prot opt source destination
1 ACCEPT 0 -- anywhere anywhere
Chain logdrop (1 references)
num target prot opt source destination
1 DROP 0 -- anywhere anywhere
Chain logreject (0 references)
num target prot opt source destination
1 REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
Chain trigger_out (1 references)
num target prot opt source destination
The affected hosts are 192.168.1.3,5,6,50,51. I've split the port range into two: 1024-5049 and 5051-65535 since port 5050 is allowed.
Back to top
soulstace DD-WRT Guru Joined: 04 Aug 2007 Posts: 6427
Posted: Tue Nov 04, 2008 23:08 Post subject:
I think I see the problem.
Try adding a firewall rule:
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
This should allow traffic coming back (to source ports) while still blocking unwanted outgoing stuff (destination ports).
Basically, the rule you see in chain FORWARD number 5 is coming too late. It should be before the one above it which is number 4 lan2wan.
Back to top