Closed GoogleCodeExporter closed 9 years ago
It's will work only if you have 220.181.*.* as your local net adress ;)
By default, all incoming traffic from Internet is closed and you may open
needed ports/services at http://my.router/Advanced_VirtualServer_Content.asp
Original comment by Dr.Sydorenko.O
on 19 Aug 2013 at 8:30
Thanks for the quick reply back. It appears you might have overlooked that I
have port forwarding already enabled. "....But, it doesnt prevent IP's from
220.181.*.* from reaching my LAN (on my forwarded ports)...."
I just need to stop certain IP ranges from coming through existing opened
ports. Certainly there should be an easy way to do this. For example, to
block certain IP's from reaching to my WWW/FTP servers. I'm hoping someone can
tell me exactly how to do that with a working example.
Original comment by michael....@gmail.com
on 19 Aug 2013 at 2:58
[deleted comment]
Soulblader.com, thank you so much for telling me exactly how to do this; with
extremely useful and easy to follow examples.
You're right, the below commandline does give me my external IP address.
#ifconfig `nvram get wan0_ifname` | grep 'inet addr'
If I need to remove the iptables rule for any reason would I just replace the
-I parameter with -D?
echo "iptables -D FORWARD -i \$(nvram get wan0_ifname) -p tcp -s 220.181.0.0/16
-j DROP" >> /etc/storage/post_iptables_script.sh
Thanks so much for your time!
MKANET
Original comment by michael....@gmail.com
on 19 Aug 2013 at 8:07
You should use iptables rules in this case.
not sure if you use firmware, which allows to edit scripts in web gui...
So, if you do:
1) Open http://my.router/Advanced_Tweaks_Content.asp
2) Choose script 'Run after firewall rules restarted'
3) Add the following line
iptables -I FORWARD -i $(nvram get wan0_ifname) -p tcp -s 220.181.0.0/16 -j DROP
4) press apply
if you use earlier version:
1) Open http://my.router/Main_AdmStatus_Content.asp
2) copy the following line to the input field (it's not quite correct )) but
input line is too short in web gui, so this should do well:
sed -i '$ a\iptables -I FORWARD -i \$(nvram get wan0_ifname) -p tcp -s
220.181.0.0/16 -j DROP' /etc/storage/post_iptables_*
3) Press <Enter> or 'Refresh' button
For more options see: http://ipset.netfilter.org/iptables.man.html. One can
find it complicated, but there are many examples in web.
Important note: I'm not sure about -i option value. Please check the output of
following command:
# ifconfig `nvram get wan0_ifname` | grep 'inet addr'
address should be your external ip address
Original comment by d...@soulblader.com
on 19 Aug 2013 at 8:08
Note: echo "iptables -I .... " >> /etc/... command does't work. Please use sed
-i ...
(I've updated my post)
if you don't need this rule anymore, just delete or comment this line with '#'.
Then update firewall, for example: Go to
http://my.router/Advanced_VirtualServer_Content.asp and press Apply button. All
rules would be renewed...
Original comment by d...@soulblader.com
on 19 Aug 2013 at 8:16
Thanks for catching that. I will use your sed example instead. I now know
where to add iptable rules after firewall restart; and, how to do it via
command-line via ssh.
By the way, I have the latest firmware installed: 3.4.3.6-064. However, I dont
see 'Run after firewall rules restarted' under
http://my.router/Advanced_Tweaks_Content.asp. I think maybe I need to install
an optional admin/tweak package? Anyway, I can always just edit/upload/replace
the text file itself using sftp.
Original comment by michael....@gmail.com
on 19 Aug 2013 at 8:52
[deleted comment]
I suppose there is no built version in 'Downloads' as 'edit scripts in web gui'
feature was added recently.
Original comment by d...@soulblader.com
on 19 Aug 2013 at 9:27
You can compile the firmware yourself:
https://code.google.com/p/rt-n56u/wiki/HowToMakeFirmware.
Original comment by Dr.Sydorenko.O
on 22 Aug 2013 at 11:06
Original issue reported on code.google.com by
michael....@gmail.com
on 19 Aug 2013 at 4:00