I'm trying to setup iptables on my dd-wrt router to accept only VPN traffic and block everything else, including LAN traffic, for a specific host. This is what I have so far but iptables isn't taking my commands which suggests something is wrong about them. I'm pretty new to iptables so these commands probably wouldn't work anyway lol. The host is .101 and the router is .10. The "[CHAIN] [#]" is for where they need to go respective to the other filters. Code: # Accept https traffic for router management. iptables -I INPUT 12 -p tcp -s 192.168.1.101 -d 192.168.1.10 --sport 443 -j ACCEPT # Accept VPN traffic from .101 iptables -I INPUT 13 -p udp -s 192.168.1.101 --sport 1192 -j ACCEPT # Drop all other data coming from .101 iptables -I INPUT 14 -p 0 -s 192.168.1.101 -j logdrop # Block all LAN traffic from reaching .101 (the FORWARD accept for VPN traffic is already in the firewall) iptables -I FORWARD 8 -p 0 -s 0.0.0.0/0 -d 192.168.1.101 -j logdrop I'd really, REALLY appreciate any help on what I'm doing wrong. I've been wracking my brain trying to understand the madness that is iptables for about a week.
I made a simple Google search for you (Scroogle is down) and I came up with these links (to start with) : Static PPTP VPN Client OpenVPN - Site-to-Site routed VPN between two routers Iptables command - DD-WRT Wiki (hopes that it may help you!)
Yeah unfortunately I had already been through two if those links and they don't really describe how to do what I need. The last link is pretty helpful for understanding basic iptables operations from which I learned to write the commands above, but they don't ever really cover how to do what I want. I'm not really trying to pass through the VPN traffic, that works just fine, I'm really just trying to deny access to/from a specific host both LAN/WAN side for anything other than VPN traffic.
What kind of VPN traffic? eg. Is it generated locally or is it through another box on your network? What are you connecting to on the other end? First step should be forwarding the traffic, then an explicit rule for VPN traffic(GRE etc.), then a block for everything else look here for setup if using ddwrt itself: http://www.dd-wrt.com/wiki/index.php/PPTP_Server_Configuration Are these all of your rules? 0.o
Of the ones I'm plugging in yes, with maybe: Code: iptables -I INPUT --source 192.168.1.101 --sport 443 -j ACCEPT put in before the logdrop to allow https management from the host --> router. The commands are being put in to a basic dd-wrt created template firewall with a few added port forwarding and INPUT statements, but they shouldn't conflict with anything in there. If they do it will just be the ordering. EDIT: The traffic is OpenVPN (not pptp/ipsec) traffic which is UDP on port 1194. The forwarding statements for udp/1194 and GRE are already in the firewall (simply done with port forwarding in the DD-WRT GUI). The traffic is generated from a static IP host on the LAN (.101). The VPN client on .101 is connecting to an external server address on the internet.