Posted: Sun Apr 08, 2012 7:40 Post subject: iptables startup script filtering trouble
Hi!
I have ASUS RT-N16 with dd-wrt.v24-14929_NEWD-2_K2.6_mini_RT-N16.trx
And I'm faced some strange issue with iptable filter by
Code:
-d domenname.com
parameter placed in the startup script.
Ok, I need to grand access to one of my LAN's (br1) to only one domen name (dd-wrt.com in the example). Here is my short (working) example firewall startup script:
After router reboot all work fine.
But when I try to apply my final work version of the firewall script this line don't work
$IPTABLES -A FORWARD -p tcp -i $SAB_IFACE -d dd-wrt.com --dport 80 -j ACCEPT
and the rule didn't appears in the iptables -vnL list.
Here's final firewal version:
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
#$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
#$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
# Log weird packets that don't match the above.
#
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $RTM_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $SAB_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
#
# Log weird packets that don't match the above.
#