Iptables – Configuring iptables on dd-wrt router

I'm trying to setup a dd-wrt router to serve as a subnetwork for some custom built arduino devices.

The idea is having the routers LAN/WIFI being open to the arduino devices and only allowing trafic to leave the WAN port to the company LAN if it's for the controlling server.

I've tried to apply the following rules:

echo "allow all router connections"
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT

echo "allow all ping"
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -p icmp -m state --state ESTABLISHED,RELATED     -j ACCEPT

echo "allow all ntp (time)"
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p udp --sport 123 -m state --state ESTABLISHED     -j ACCEPT

echo "allow dns"
iptables -A OUTPUT -p udp -d 10.80.91.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p udp -s 10.80.91.2 --sport 53 -m state --state ESTABLISHED     -j ACCEPT
iptables -A OUTPUT -p tcp -d 10.80.91.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp -s 10.80.91.2 --sport 53 -m state --state ESTABLISHED     -j ACCEPT

echo "allow webserver"
iptables -A OUTPUT -p tcp -d 10.80.91.2 --dport 80  -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp -s 10.80.91.2 --sport 80  -m state --state ESTABLISHED     -j ACCEPT

echo "drop everything else"
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

Unfortunatly, everytime I reach "iptables -A INPUT -j DROP" i lose my telnet connection to the router like all teh rules i've set before where being ignored.

It's my first time using iptables and all the information I see online seems to indicate i'm doing it correctly.

The router is a Linksys E2000 with DD-WRT v24-sp2 (08/12/10) std-usb-ftp
(SVN revision 14929).

Best Answer

You haven't allowed for established connections of the type you are using in the connection already. This is why when you add the last line the connection is broken.

You'd want a line like this:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

This says that the firewall should permit connections that have already been made and are working. (i.e. passed all the other rules in the firewall.)

With that said, you'll also need a rule to permit ssh coming in such as:

-A INPUT -s <source> -p tcp -m state --state NEW -m tcp --dport ssh -j ACCEPT

This tells the firewall to allow ssh connections to be started.

Hope this helps.

P.S. I would have to check but the "-P" lines (last three) you should not be using since I think they flush the tables. But I'd have to recheck it.

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Linux – iptables port forward forwarding

Related Topic