Objective: Don't allow two hosts connected to my wrt54g to share files using windows file sharing.   A little research says this can be done by blocking ports 135-139 and 445.  One host is plugged into port 1 and another is plugged into port 2.

I've adding the following two lines to the firewall script:

iptables -A FORWARD -i br0 -p tcp --dport 135:139 -j DROP
iptables -A FORWARD -i br0 -p tcp --dport 445 -j DROP

These two lines are right before this standard line which lets all traffic pass:
iptables -A FORWARD -i br0 -o br0 -j ACCEPT

I've re-run the script and also rebooted the router and I'm still able to fileshare between the two hosts.  Can anybody shed some light here?

(Last edited by fizgig on 17 Jun 2005, 18:50)

The packets are passing through the switch, and never get seen by your firewall.  You need to look up how to seperate each port on the switch into individual ethernet ports.  Then you'll have to bridge those ports and use filtering in the bridge.

I'm not sure if this is even possible on the newer version hardware?

Thanks.  I had a gut feeling that might be the case.  The bridge connects the switch with the wireless port as I understand it so iptables only goes into affect when packets try to cross from the switch to the wireless.  Is that right?

I'll look into vlan separation for ports and see if how I do.  I'll report back my results.

If anybody's done something like this, please post here as I'm definately crawling on my hands and knees here.

Traffic from the wired lan ports travels directly accross the switch and is not seen by the router. If you want to separate out the ports you have to play with the vlan*port variables and make each port a separate vlan, doing this will really drop the performance though; each packet travels from the switch to a vlan interface, through the firewall, out through another vlan interface and back out the switch.

vlan0ports="0 5"
vlan1ports="1 5"
... (repeat to vlan4; each vlan contains two ports: 0-4 is the ports on the back, 5 is the connection to the router)

wan_ifname=vlan0
(internet/wan is switch port 0, which is now mapped to vlan0)

lan_ifname=br0
lan_ifnames="vlan1 vlan2 vlan3 vlan4 eth1"
(lan_ifnames contains all the lan ports as well as the wifi -- usually eth1)

Appreciate the info.  I'm using this WRT54g to filter the connection between two networks.  That's all it's going to be used for.  In fact, the wireless interface was destroyed by setting the mW to high so now it's just going to filter smb traffic.

For this reason, I only need two ports.  So, the default setup of vlan0 for ports 1-4 and vlan1 for the wan port should work ok.  All I did just now was add the following line to the nvram:

lan_ifnames=vlan0 vlan1

Since lan_ifname=br0, those two vlans should now be bridged together right?  Trouble is, I can't surf through the filter using this method.  Since all physical ports are now bridged, I should be able to since the filter is connected to me and the cable modem.  I have to unplug the cablemodem from the Wan port and plug it into one of the spare lan ports in order to browse.

For some reason, the bridge isn't working.  I also removed the two extra filtering rules from IPtables even though they shouldn't have hurt me anyhow.

I'm a bit confused as to why vlan0 and vlan1 don't act like they're bridged after giving that command, committing and resetting.

(Last edited by fizgig on 17 Jun 2005, 21:53)

Right; all the ports are now bridged, iptables can be used to filter traffic as it enters and leaves the br0 interface.

Since you now have vlan1 as part of the lan bridge, you need to remove it from wan_ifname so there isn't the conflict over the interface between "ifup lan" and "ifup wan".

I'm slightly confused by your use of the cable modem; normally the cable modem is on the wan interface and the firewall performs the NAT opperations needed to allow internet access.

I'm simplifying the situation a lot actually because I know I don't like to read long stories when trying to understand somebody else's problem.  Here's my real situation if you're curious:

I have my own home network with no internet connection on it.  I have a WDS bridge that connects me to a neighbor's network that does have internet access.  He's cool with me using his network but he doesn't want to see my computers on his "Network Neighborhood".  I'll connect my network to the WDS bridge through this filter.  That's it in a nutshell.

As for the wan_ifname issue, "nvram show |grep wan" comes up blank.  Would there be another place I should look for it?  Is there a way to check the status of the bridge?  ifconfig shows me that vlan0 and vlan1 are up as is Br0 but I can't tell anything more than that.

Why don't you just configure your computer(s) to use a different Workgroup?

Unless he really, truly wants your computers isolated from his...

Even if the computers are in different workgroups they can still be seen in the network neighborhood.  Both workgroups will be shown.

i ask here http://wl500g.info/showthread.php?t=2274 for the same question and answer was ebtables... i _never_ use linux as bridge and even i don't understand how it works here but i _need_ to block SMB too... question is: what i must do? install OpenWrt, then install ebtables (i really need this?), write firewall rules...

how can i install it? via ipkg or i must create my own FW?

peoples help me!

thanks

P.S. sry 4 poor english

Snark, I did solve the problem but I posted the results in another thread:  http://forum.openwrt.org/viewtopic.php?pid=8500#p8500

I later changed it to block all communication (not just smb) between the computers in the separate groups but still allow them all to use the one internet connection.  If you're interested, I'll post how.  It's a simple permutation of the above solution that uses IP addresses instead of ports.

thanks! you did nice trick but i want to make my wl500gx acts as AP with this nice daemon http://www.zerfleddert.de/wrt54g/wrt-radauth/ and i think i must bridge all interfaces because i never use routing on AP, i found solutions here http://openwrt.org/forum/viewtopic.php?id=234 and here http://openwrt.org/forum/viewtopic.php?id=453 but linux way fo doing bridges is so starnge for me on my filtering bridge bsd box (128Mb CF card) i made it very easy without any patches and external software, only kernel & ipfw magic and it even shape unused traffic (shape it babe ) in next release i want to do ALTQ shaping, and again - i never use any type external software. _please_ explain me linux way for "create building filtering bridges" on OpenWrt

(Last edited by snark on 29 Jun 2005, 07:47)