3

I'm trying to setup a dd-wrt router to serve as a subnetwork for some custom built arduino devices.

The idea is having the routers LAN/WIFI being open to the arduino devices and only allowing trafic to leave the WAN port to the company LAN if it's for the controlling server.

I've tried to apply the following rules:

 echo "allow all router connections" iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT echo "allow all ping" iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT echo "allow all ntp (time)" iptables -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT echo "allow dns" iptables -A OUTPUT -p udp -d 10.80.91.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 10.80.91.2 --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -d 10.80.91.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 10.80.91.2 --sport 53 -m state --state ESTABLISHED -j ACCEPT echo "allow webserver" iptables -A OUTPUT -p tcp -d 10.80.91.2 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 10.80.91.2 --sport 80 -m state --state ESTABLISHED -j ACCEPT echo "drop everything else" iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP

Unfortunatly, everytime I reach "iptables -A INPUT -j DROP" i lose my telnet connection to the router like all teh rules i've set before where being ignored.

It's my first time using iptables and all the information I see online seems to indicate i'm doing it correctly.

The router is a Linksys E2000 with DD-WRT v24-sp2 (08/12/10) std-usb-ftp (SVN revision 14929).

Improve this question
2
  • 1
    Of course you lose your connection. You have written no rule to allow it! Commented Feb 25, 2016 at 14:39
  • The two lines at the start are suposed to allow any type of connection to the router itself: iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT Commented Feb 27, 2016 at 10:42

1 Answer 1

Reset to default
3

You haven't allowed for established connections of the type you are using in the connection already. This is why when you add the last line the connection is broken.

You'd want a line like this:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This says that the firewall should permit connections that have already been made and are working. (i.e. passed all the other rules in the firewall.)

With that said, you'll also need a rule to permit ssh coming in such as:

-A INPUT -s <source> -p tcp -m state --state NEW -m tcp --dport ssh -j ACCEPT

This tells the firewall to allow ssh connections to be started.

Hope this helps.

P.S. I would have to check but the "-P" lines (last three) you should not be using since I think they flush the tables. But I'd have to recheck it.

Improve this answer
1
  • For the record, I object to my answer being edited to remove what is viewed as "gripeing" but Mr Hampton's non-answer being left unchallenged. Commented Sep 25, 2016 at 14:31

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.