OpenWrt Forum Archive

Topic: firewall settings

The content of this topic has been archived on 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
alcool179
23 Sep 2009, 18:21

Hi,
I have this configuration

     WRT54G #1
  (lan 192.168.1.1)
    /                   \                           
   /                     \                         
PC IN LAN     PC IN LAN
(192.168.1.4)   (192.168.1.5)



I would like to drop the traffic destinated to IP 192.168.1.5 when the source address isn't 192.168.1.4.

How can I set the iptables rules?

I have tried this, but it doesn't work!

iptables -A FORWARD -s ! 192.168.1.4 -d 192.168.1.5 -j DROP

thx!

Post #2
blubberdiblub
23 Sep 2009, 19:01

The problem here most probably is that the rules that the default firewall script set up are still around and since you are appending your rule, the some default rules that accept traffic take effect before that.

3 solutions come to my mind:

1) insert the rule with -I instead of appending it with -A

2) clear the default rules before appending your rule

3) look at the rules structure set up by the default firewall script and append your rule to the correct chain (not FORWARD) in order to make your custom rule work better in coherence with the structure of the firewall script


Regards,
Niels Böhm

Post #3
MMCM
23 Sep 2009, 20:04

As long as your PCs are connected to the (internal) switch on the same vlan, the firewall will not (be able to) filter anything on the LAN segment itself.

Post #4
blubberdiblub
23 Sep 2009, 20:05

Ah, that's another point, true. I forgot about bridging, since i'm not using it here.

Post #5
alcool179
24 Sep 2009, 12:58

And how can I do?
Then Isn't  possible block the traffic direct to 192.168.1.5 if the source is different by 192.168.1.4?

My wireless lan, switch lan (and also a Wds) are bridged on the same br-lan

root@Ap1:~# brctl show
bridge name     bridge id                   STP enabled        interfaces
br-lan              8000.0023692a941e           no                eth0.0
                                                                                  wl0
                                                                                  wds0.1

some help?

Post #6
glahue
2 Oct 2009, 08:16
alcool179 wrote:

Then Isn't  possible block the traffic direct to 192.168.1.5 if the source is different by 192.168.1.4?
My wireless lan, switch lan (and also a Wds) are bridged on the same br-lan

You need ebtables, but i can´t help you in detail. Another opportunity would be to create a new vlan for the pc that now has 192.168.1.5 an put that one in an extra subnet.

The discussion might have continued from here.