Posted: Thu Mar 04, 2010 15:43 Post subject: iptables and interfaces?
Hi everyone! :)
I have a Linksys WRT54G2 (v1) running DD-WRT v24-sp2 (07/22/09) micro - build 12548M NEWD Eko. I followed the Adding WAN Port to LAN Switch guide and afterwards assigned ports 1-4 to separate VLAN's. Here's how they're configured:
br0 is using default configuration and has vlan0 and eth1 binded to it. Everything is working fine, each VLAN is able to access each other and the internet perfectly via vlan4 (the routing table forwards requests for 0.0.0.0 to an IP address on vlan4 that is a proxy).
My question is, is it possible to create an iptable rules, that stops vlan0 (wan port and wireless) from talking to vlan1/vlan2/vlan3/vlan4, but still get internet access from vlan4? I don't know if I'm explaining myself well but something like this....
Code:
vlan0 (wan port) 192.168.1.0/24 (gets internet from vlan4)
--------------------------------------
vlan1 (port 1) 10.0.1.0/24
vlan2 (port 2) 10.0.2.0/24
vlan3 (port 3) 10.0.3.0/24
vlan4 (port 4) 10.0.4.0/24 (provides internet access)
The -m state --state NEW part will allow the other vlans to still initiate connections to vlan0. If you want it blocked both ways then remove that part.
iptables -I FORWARD -i br0 -o vlan1 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan2 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan3 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -d `nvram get vlan4_ipaddr`/`nvram get vlan4_netmask` -m state --state NEW -j DROP _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I'd blocked vlan4 completely and then tried to add an exception that would allow connections to the proxy server on vlan4, but obviously it didn't work as planned (couldn't ping anything on vlan4 or google.com). I had no idea you could mix inputs with destinations like in your rules, I guess I just misunderstood the whole concept.
--state NEW also only denies tcp syn packets. Better just to take out the '-p state --state NEW' altogether and drop all traffic, imo.
no idea on the last rule for vlan4. If you know the proxy server address (and it doesnt change much), you can put that in the iptables rule as a destination to allow.
Yep, that makes perfect sense. I wanted to block both-ways so I removed the state part, and replaced the "get vlan4" part with the IP address/subnet of the proxy server, seeing as that's on a static IP (vlan4 connects to a semi-DMZ which hosts most of my servers).
I have no idea how it works behind the scenes. I figured I had to block vlan4 completely, but then allow traffic to the proxy server (on vlan4), so it could send/receive requests for internet access.
phuzi0n's method baffles me in that respect, I cant ping or connect to the proxy server from vlan0 or eth1, yet internet access still works. Either way I'm happy
You didn't mention the proxy server before. My method assumes that they're supposed to use a gateway on vlan4, so unless the proxy is also the gateway, they could be bypassing it. that rule works because it drops traffic destined to the subnet on vlan4, but traffic destined to the internet through vlan4 does not match the destination criteria for the rule so it doesn't get dropped. This is how you would allow them to only send traffic to one IP on vlan4.
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I FORWARD -i br0 -o vlan3 -j DROP
iptables -I FORWARD -i br0 -d ! [proxy IP] -j DROP _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Thanks for the explanation phuzi0n - I understand how it works now and will update my firewall rules One other thing if you don't mind, is there a reason why this isn't working? I've been reading over the iptables docs and it should be OK from what I can make out...
I'm trying to only allow a specific IP on vlan0 to access the router via GUI or telnet. I think INPUT is the right one to use, because its connecting to the router itself, but I'm not sure. I don't know what's wrong with the syntax, because when I can execute the command, it doesn't show up in "iptables -L INPUT"
multiport option = plural source/destination ports flag
-m multiport --dports 23,80 _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Hm, I already tried that but it didn't work either. Could it have anything to do with me being on a micro-build? I know some things are stripped out but I don't know what.
***EDIT: actually, entering any kind of rule with multiple destination ports doesn't work. I'm accessing the router via telnet to add these rules if that makes any difference?
Last edited by mwyu on Fri Mar 05, 2010 16:53; edited 1 time in total
Hm, I already tried that but it didn't work either. Could it have anything to do with me being on a micro-build? I know some things are stripped out but I don't know what.
iptables -I INPUT -i ! vlan0 -s ! 192.168.1.168/24 -p tcp -m multiport --dports 23,80 -j DROP _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Its really weird but it seems entering any kind of rule with multiple destination ports doesn't work. I tried this really simple rule too but that didn't commit either
I'm not seeing any error messages or any feedback when entering rules, is that normal?
Yes. You'll just have to enter the ports individually in separate commands then. That exact command worked fine on a larger build, but micro probably doesn't have multiport in it. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)