I'm trying to setup a dd-wrt router to serve as a subnetwork for some custom built arduino devices.
The idea is having the routers LAN/WIFI being open to the arduino devices and only allowing trafic to leave the WAN port to the company LAN if it's for the controlling server.
I've tried to apply the following rules:
echo "allow all router connections" iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT echo "allow all ping" iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT echo "allow all ntp (time)" iptables -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT echo "allow dns" iptables -A OUTPUT -p udp -d 10.80.91.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 10.80.91.2 --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -d 10.80.91.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 10.80.91.2 --sport 53 -m state --state ESTABLISHED -j ACCEPT echo "allow webserver" iptables -A OUTPUT -p tcp -d 10.80.91.2 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 10.80.91.2 --sport 80 -m state --state ESTABLISHED -j ACCEPT echo "drop everything else" iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Unfortunatly, everytime I reach "iptables -A INPUT -j DROP" i lose my telnet connection to the router like all teh rules i've set before where being ignored.
It's my first time using iptables and all the information I see online seems to indicate i'm doing it correctly.
The router is a Linksys E2000 with DD-WRT v24-sp2 (08/12/10) std-usb-ftp
(SVN revision 14929).
Best Answer
You haven't allowed for established connections of the type you are using in the connection already. This is why when you add the last line the connection is broken.
You'd want a line like this:
This says that the firewall should permit connections that have already been made and are working. (i.e. passed all the other rules in the firewall.)
With that said, you'll also need a rule to permit ssh coming in such as:
This tells the firewall to allow ssh connections to be started.
Hope this helps.
P.S. I would have to check but the "-P" lines (last three) you should not be using since I think they flush the tables. But I'd have to recheck it.