iptables help

Discussion in 'all things UNIX' started by bc_helix, Nov 4, 2010.

Thread Status:
Not open for further replies.
  1. bc_helix

    bc_helix Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    7
    I'm trying to setup iptables on my dd-wrt router to accept only VPN traffic and block everything else, including LAN traffic, for a specific host. This is what I have so far but iptables isn't taking my commands which suggests something is wrong about them. I'm pretty new to iptables so these commands probably wouldn't work anyway lol. The host is .101 and the router is .10. The "[CHAIN] [#]" is for where they need to go respective to the other filters.

    Code:
    # Accept https traffic for router management.
    iptables -I INPUT 12 -p tcp -s 192.168.1.101 -d 192.168.1.10 --sport 443 -j ACCEPT
    # Accept VPN traffic from .101
    iptables -I INPUT 13 -p udp -s 192.168.1.101 --sport 1192 -j ACCEPT
    # Drop all other data coming from .101
    iptables -I INPUT 14 -p 0 -s 192.168.1.101 -j logdrop
    
    # Block all LAN traffic from reaching .101 (the FORWARD accept for VPN traffic is already in the firewall)
    iptables -I FORWARD 8 -p 0 -s 0.0.0.0/0 -d 192.168.1.101 -j logdrop
    I'd really, REALLY appreciate any help on what I'm doing wrong. I've been wracking my brain trying to understand the madness that is iptables for about a week.
     
  2. Fiat_Lux

    Fiat_Lux Registered Member

    Joined:
    Nov 1, 2010
    Posts:
    180
  3. bc_helix

    bc_helix Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    7
    Yeah unfortunately I had already been through two if those links and they don't really describe how to do what I need. The last link is pretty helpful for understanding basic iptables operations from which I learned to write the commands above, but they don't ever really cover how to do what I want. I'm not really trying to pass through the VPN traffic, that works just fine, I'm really just trying to deny access to/from a specific host both LAN/WAN side for anything other than VPN traffic.
     
  4. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    What kind of VPN traffic? eg. Is it generated locally or is it through another box on your network? What are you connecting to on the other end?

    First step should be forwarding the traffic, then an explicit rule for VPN traffic(GRE etc.), then a block for everything else

    look here for setup if using ddwrt itself:
    http://www.dd-wrt.com/wiki/index.php/PPTP_Server_Configuration
    Are these all of your rules? 0.o
     
    Last edited: Nov 5, 2010
  5. bc_helix

    bc_helix Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    7
    Of the ones I'm plugging in yes, with maybe:

    Code:
    iptables -I INPUT --source 192.168.1.101 --sport 443 -j ACCEPT
    put in before the logdrop to allow https management from the host --> router.
    The commands are being put in to a basic dd-wrt created template firewall with a few added port forwarding and INPUT statements, but they shouldn't conflict with anything in there. If they do it will just be the ordering.

    EDIT:

    The traffic is OpenVPN (not pptp/ipsec) traffic which is UDP on port 1194. The forwarding statements for udp/1194 and GRE are already in the firewall (simply done with port forwarding in the DD-WRT GUI). The traffic is generated from a static IP host on the LAN (.101). The VPN client on .101 is connecting to an external server address on the internet.
     
    Last edited: Nov 5, 2010
  6. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    Please see above for more Q's
     
Loading...
Thread Status:
Not open for further replies.