The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Hi!
Is it possible to block access to web administration pages and ssh server of a router through iptables settings? I have WL500gP with Oleg's firmware, but asked on wl500g forum and haven't yet got any answer. Some time ago I had OpenWRT on WL500gP and Linksys WRTSL54GS and I know that web admin is blocked from wireless in openwrt. Maybe somebody knows how to do it in WL500g (possibly through firewall).
Thanks!
Vega
in openwrt this is open so can't help ya.
But it sounds like iptables problem.
O, I thought it was blocked in openwrt. Probably then it was only blocked in original Linksys firmware. Anyway - maybe somebody knows how to deal with it. Waiting for an answer. Thanks!
Vega
I'm going to be hacking at iptables tonight, been a while since I've used it. I'm going to make rules to:
* disallow WAN to access router services (ssh, web interface, etc)
* disallow a specific subnet to access router services (for example, put Wireless on a separate subnet and disallow that subnet access to services)
I'll post when I'm done.
I don't know why this iptables is completely ignoring the rules I'm setting, but its making me angry.
in particular: iptabels -A INPUT -i $WAN -p tcp --dport 80 -j DROP
full file:
#!/bin/sh
## Please make changes in /etc/firewall.user
. /etc/functions.sh
WAN="$(nvram get wan_ifname)"
WANDEV="$(nvram get wan_device)"
LAN="$(nvram get lan_ifname)"
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -N input_rule
iptables -N input_wan
iptables -N output_rule
iptables -N forwarding_rule
iptables -N forwarding_wan
iptables -t nat -N NEW
iptables -t nat -N prerouting_wan
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -N LAN_ACCEPT
[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
iptables -A LAN_ACCEPT -j ACCEPT
### INPUT
# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
# caibbor: disallow WAN from accessing Web Interface
iptabels -A INPUT -i $WAN -p tcp --dport 80 -j DROP
iptabels -A INPUT -i $WAN -p udp --dport 80 -j DROP
# insert accept rule or to jump to new accept-check table here
iptables -A INPUT -j input_rule
iptables -A INPUT -i $WAN -j input_wan
# allow
iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# insert accept rule or to jump to new accept-check table here
iptables -A OUTPUT -j output_rule
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# insert accept rule or to jump to new accept-check table here
iptables -A FORWARD -j forwarding_rule
iptables -A FORWARD -i $WAN -j forwarding_wan
# allow
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -m state --state NEW -j NEW
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A PREROUTING -i $WAN -j prerouting_wan
iptables -t nat -A POSTROUTING -j postrouting_rule
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
iptables -t nat -A NEW -j DROP
## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -e /etc/config/firewall ] && {
awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
}I was able to achieve this goal by adding the following line to the end of /etc/firewall.user:
[ -n "$WIFI" ] && iptables -A input_rule -p tcp -i $WIFI -m multiport --dport 80,443,22 -j DROPinput_rule handles packets targeted at the router itself, and -i $WIFI limits the rule's scope to the wireless interface.
I was able to achieve this goal by adding the following line to the end of /etc/firewall.user:
[ -n "$WIFI" ] && iptables -A input_rule -p tcp -i $WIFI -m multiport --dport 80,443,22 -j DROPinput_rule handles packets targeted at the router itself, and -i $WIFI limits the rule's scope to the wireless interface.
Hi,
I tried to put this code into firewall.user , but it didn't work.. Have I missed something ?
Thanks a lot
The discussion might have continued from here.