search

ypy705 / rt-n56u

Automatically exported from code.google.com/p/rt-n56u
0 stars 0 forks source link

Allow only specific IP addresses for LAN device via firewall config #600

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1.Try to set up firewall entry to block all but specific IP addresses for a 
specific device on LAN
2.
3.

What is the expected output? What do you see instead?
Nothing in UI to allow this level of control

What version of the product are you using? On what operating system?
3.0.2.6-018

Please describe the problem as detailed as it's possible.
If you have connection problem, then syslog file is required. (please do
attach it as a file)
Note that if there will be a poor problem description the issue status will
be changed to 'Invalid'!

Either via the UI or SSH, I want to set up my VOIP server on my LAN with the ip 
of 10.0.10.4 to allow traffic from ONLY the following network blocks:

67.108.9.160/27
209.31.18.0/24
64.61.93.0/24
10.0.10.0/24 (of course)

Please advise if there is any way to achieve this, as I am getting attempts to 
access this device from unauthorized ip addresses, thanks.

Original issue reported on code.google.com by bobmalec...@gmail.com on 21 Nov 2012 at 4:14

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
Hello!

I haven't written scripts for some time, so there may be mistakes =/
So, please:
1) check that:
# nvram get wan0_ifname
gives the external network interface name

2) I assume that VOIP uses UDP (change to TCP if needed iptables -A FORWARD -p 
tcp .....)

Try to add the following to /etc/storage/post_iptables_script.sh:
----------------------------------

#!/bin/sh

### Custom user script
### Called after internal iptables reconfig (firewall update)

wan_ifname=`nvram get wan0_ifname`
lan_ifname=`nvram get lan_ifname`

VOIP_srv="10.0.10.4"
allowed_ips="67.108.9.160/27 209.31.18.0/24 64.61.93.0/24"

for ip in $allowed_ips ; do
  iptables -A FORWARD -p udp -i $wan_ifname -o $lan_ifname -s $ip \
      -d $VOIP_srv -j ACCEPT 2>/dev/null
done

exit 0

-----------------------------------

Then run:
# mtd_storage.sh save
# /etc/storage/post_iptables_script.sh

Check the rules with:
# iptables -nvL

Original comment by d...@soulblader.com on 21 Nov 2012 at 7:03

GoogleCodeExporter commented 9 years ago 
Hi I tried your recommendation but it completely blocked tcp access to the 
router from the WAN. Below is the output before I removed the rules. Any ideas 
on why tcp was blocked?

/etc/storage # iptables -nvL
Chain INPUT (policy ACCEPT 3 packets, 152 bytes)
 pkts bytes target     prot opt in     out     source               destination

  445 88634 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

    2   158 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
         state INVALID
 8818  853K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
         state RELATED,ESTABLISHED
 2857  469K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            224.0.0.0/4

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4
         udp dpt:!1900
  196 10491 doslimit   all  --  eth3   *       0.0.0.0/0            0.0.0.0/0
         state NEW

Chain FORWARD (policy ACCEPT 77584 packets, 28M bytes)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
         state INVALID
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4

13623 5550K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
         state RELATED,ESTABLISHED
 198K   70M doslimit   all  --  eth3   *       0.0.0.0/0            0.0.0.0/0
         state NEW
    0     0 DROP       esp  --  br0    *       0.0.0.0/0            0.0.0.0/0

    0     0 DROP       ah   --  br0    *       0.0.0.0/0            0.0.0.0/0

    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0
         udp dpt:1701
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0
         udp dpt:500
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0
         udp dpt:4500
    0     0 ACCEPT     udp  --  eth3   br0     67.108.9.160/27      10.0.10.4

    0     0 ACCEPT     udp  --  eth3   br0     209.31.18.0/24       10.0.10.4

    0     0 ACCEPT     udp  --  eth3   br0     64.61.93.0/24        10.0.10.4

    0     0 ACCEPT     udp  --  eth3   br0     67.108.9.160/27      10.0.10.4

    0     0 ACCEPT     udp  --  eth3   br0     209.31.18.0/24       10.0.10.4

    0     0 ACCEPT     udp  --  eth3   br0     64.61.93.0/24        10.0.10.4

Chain OUTPUT (policy ACCEPT 3664 packets, 2004K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain UPNP (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain doslimit (2 references)
 pkts bytes target     prot opt in     out     source               destination

  191  9680 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
         tcpflags: 0x17/0x02 limit: avg 20/sec burst 30
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
         tcpflags: 0x17/0x02
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
         tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
         tcpflags: 0x17/0x04
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
         icmptype 8 limit: avg 2/sec burst 5
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0
         icmptype 8

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
         state NEW LOG flags 7 level 4 prefix "ACCEPT "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
         state NEW LOG flags 7 level 4 prefix "DROP "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain maclist (0 references)
 pkts bytes target     prot opt in     out     source               destination

/etc/storage #

Original comment by bobmalec...@gmail.com on 23 Nov 2012 at 5:14

GoogleCodeExporter commented 9 years ago 
ok so I think your after portforward from external source ip to a destination 
ip within the lan.  (i.e for me ssh from my works pc (static ip) to my ssh 
server but didnt want ssh open to the world))

enable ssh on router

edit /etc/storage/post_iptables_script.sh
to the following # = comment

--------------------------------------------------
#!/bin/sh

### Custom user script
### Called after internal iptables reconfig (firewall update)
### mtd_storage.sh save
### /etc/storage/post_iptables_script.sh

## Sleep for 20 Seconds to wait for modem to establish out side connection. 
(might not be needed)
sleep 20

# Get my external ip address.

ipname=`ifconfig ppp0 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print 
$1}'`
baseip=`echo "$ipname/32"` # my outside ip address/32

# Note : 80.xxx.xxx.xxx my works pc static ip.. 
# --dport open port externally (so Im forwarding port 4443 from external to 
4443 on 192.168.1.111
# 192.168.1.111:4443 my internal ssh server on the lan running ssh on port 443

#create pre routing rule and Port Forward Rule.
iptables -t nat -A PREROUTING -s 80.xxx.xxx.xxx/32 -p tcp -d $baseip --dport 
4443 -j DNAT --to 192.168.1.111:4443
iptables -I FORWARD -s 80.xxx.xxx.xxx/32 -d 192.168.1.111/32 -p tcp -m tcp 
--dport 4443 -j ACCEPT

exit 0

----------------------------
Then run:
# mtd_storage.sh save
# /etc/storage/post_iptables_script.sh

iptables -nvL

Chain FORWARD (policy ACCEPT 35893 packets, 3868K bytes)
 pkts bytes target     prot opt in     out     source               destination
  388 61880 ACCEPT     tcp  --  *      *       80.xxx.xxx.xxx         192.168.1.111        tcp dpt:4443

works a treat in that I now have an ssh tunnel that only I can connect to from 
my works pc.

Original comment by cryton2...@gmail.com on 28 Jun 2013 at 12:15

GoogleCodeExporter commented 9 years ago 
+1 For a graphical iptables rule editor that survive reboots. The created rules 
should also be stored in the configuration backup ("Save Setting to a File:") 
and should be able to be restored when "Restore Settings from a File:".

Original comment by c...@vakantieland.nl on 5 Apr 2014 at 5:23