Iptables – block access to wrt from vlan using iptables dd-wrt

iptablesrouter

I set up multiple isolated vlans in dd-wrt. Now I need to forward a port to vlan2.

I isolated the vlans using:

iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I FORWARD -i br0 -o vlan3 -j DROP
iptables -I FORWARD -i br0 -o vlan4 -j DROP

Now I need to block a clients on each vlan from accessing the router.

This doesn't work:

iptables -I INPUT -i br0 -o vlan2 --dport telnet -j REJECT --reject-with tcp-reset

I'm new it iptables… am I missing something?

Best Answer

If you want the client to not access the router, you can't use -o. In addition, if you want to use --dport, you must specify the protocol. So, do it like this:

iptables -I INPUT -i br0 -p tcp --dport telnet -j REJECT --reject-with tcp-reset

-o is used only if you want to apply the rule to a packet passing the router.

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Iptables – Forward port ip on seprate vlan dd-wrt

You don't forward a single port to a VLAN, you forward it to a specific IP. If you want it broadcast to the entire VLAN for some reason, you can forward it do the broadcast address for VLAN2.

Also, you may want to make sure all your VLANs are using separate subnets. dd-wrt gets a bit strange when it starts looping on itself because it's trying to route between multiple VLANs with the same subnet.

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Iptables – Forward port ip on seprate vlan dd-wrt

Related Topic