Recommendations for firewall

[petdoctors]

Hi Guys

1. Worldspot is looking good - thanks to the developers and supporters </praise>

2. As a trial we are going to put our (Asus WL500G Premium) router behind a Draytek ADSL gateway/router, so it's on the office network which is not ideal.

I am looking for suggestions on setting up acces restrictions so that users of the hotspot cannot see the Windows-based machines on the office network - looking down the list of what you can add to 'blocked services' I'd initially go for NETBIOS and SMB, plus port 8080 (Web interface for the ADSL router) but will this affect 'normal operation' of chillispot etc.? Any ideas on other ports to block?

Also, if I add 'SMB' or NETBIOS to the list, they show blocked ports as '0 ~ 0' is this OK because they are pre-defined services in the router or should I 'correct' this??

Thanks

[pelsen]

2. Could vlan be the ting here? Have the same issue by my self

[petdoctors]

2. Could vlan be the ting here? Have the same issue by my self

Good thinking - will need to do some reading - not sure if you can have a vlan between the two routers though - only between the outside world router (Draytek) and another location over the Internet?

Any tips on this - anyone!?

[WorldSpot]

A simple iptable rule to reject access to any 192.168.x.x or 10.x.x.x adress will work.
But I don't know how to do it in dd-wrt.
I think that these rules are store in nvram variables that you can dump and save in administration / commands.
The dd-wrt wiki/forum will help you more than me.

If you have the solution, it would be cool to post it here.

Are any of you interested by a worldspot wiki?

[petdoctors]

A simple iptable rule to reject access to any 192.168.x.x or 10.x.x.x adress will work.
But I don't know how to do it in dd-wrt.
I think that these rules are store in nvram variables that you can dump and save in administration / commands.
The dd-wrt wiki/forum will help you more than me.

If you have the solution, it would be cool to post it here.

Are any of you interested by a worldspot wiki?

Yep - I am new to iptables so I will have to have a look - I guess I'd block access to all IP addresses on the office network except the router (192.168.101.150).

Thanks

[pelsen]

http://www.sns.ias.edu/~jns/wp/2006/03/24/iptables-on-a-linksys-cisco-wrt54gl-broadband-router-howto/

http://www.dd-wrt.com/wiki/index.php/Iptables

http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN

[WorldSpot]

I think that part of the response can be found in this post:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=3714

and more precisely here:
http://startu.net/chilli/setup.html

I don't think you need to follow the entire procedure. (I think it is outdated and too complex...)
I don't know iptables also. But these lines seems to be interesting:

Code: [Select]

$IPTABLES -t nat -A POSTROUTING -o vlan1  -s 192.168.0.0/16 -j MASQUERADE   

$IPTABLES -A INPUT  -i lo  -m state --state NEW  -j ACCEPT 
$IPTABLES -A OUTPUT  -o lo  -m state --state NEW  -j ACCEPT 
echo "Rule 0 (tun0)"
# 
$IPTABLES -N Cid44F4A009.0
$IPTABLES -A INPUT  -i tun0  -d 255.255.255.255  -m state --state NEW  -j Cid44F4A009.0 
$IPTABLES -A Cid44F4A009.0  -p udp -m udp  -m multiport  --dports 68,67  -j ACCEPT 
$IPTABLES -N Cid44F4A009.1
$IPTABLES -A OUTPUT  -o tun0  -d 255.255.255.255  -m state --state NEW  -j Cid44F4A009.1 
$IPTABLES -A Cid44F4A009.1  -p udp -m udp  -m multiport  --dports 68,67  -j ACCEPT 
$IPTABLES -N Cid44F4A009.2
$IPTABLES -A FORWARD  -o tun0  -d 255.255.255.255  -m state --state NEW  -j Cid44F4A009.2 
$IPTABLES -A Cid44F4A009.2  -p udp -m udp  -m multiport  --dports 68,67  -j ACCEPT 
echo "Rule 1 (tun0)"
# 
$IPTABLES -N Cid44F49FBE.0
$IPTABLES -A INPUT  -i tun0  -s 192.168.182.0/24  -m state --state NEW  -j Cid44F49FBE.0 
$IPTABLES -A Cid44F49FBE.0  -p tcp -m tcp  --dport 53  -j ACCEPT 
$IPTABLES -A Cid44F49FBE.0  -p udp -m udp  --dport 53  -j ACCEPT 
$IPTABLES -N Cid44F49FBE.1
$IPTABLES -A FORWARD  -i tun0  -s 192.168.182.0/24  -m state --state NEW  -j Cid44F49FBE.1 
$IPTABLES -A Cid44F49FBE.1  -p tcp -m tcp  --dport 53  -j ACCEPT 
$IPTABLES -A Cid44F49FBE.1  -p udp -m udp  --dport 53  -j ACCEPT 
echo "Rule 2 (tun0)"
# 
$IPTABLES -A INPUT  -i tun0  -s 192.168.182.0/24  -d 192.168.182.255  -m state --state NEW  -j ACCEPT 
$IPTABLES -A INPUT  -i tun0  -s 192.168.182.0/24  -d 192.168.182.1  -m state --state NEW  -j ACCEPT 
echo "Rule 3 (tun0)"
# 
$IPTABLES -N Cid44F49FF3.0
$IPTABLES -A INPUT  -i tun0  -s 192.168.182.0/24  -j Cid44F49FF3.0 
$IPTABLES -A Cid44F49FF3.0   -d 10.0.0.0/8  -j DROP 
$IPTABLES -A Cid44F49FF3.0   -d 192.168.0.0/16  -j DROP 
$IPTABLES -A Cid44F49FF3.0   -d 172.16.0.0/12  -j DROP 
$IPTABLES -N Cid44F49FF3.1
$IPTABLES -A FORWARD  -i tun0  -s 192.168.182.0/24  -j Cid44F49FF3.1 
$IPTABLES -A Cid44F49FF3.1   -d 10.0.0.0/8  -j DROP 
$IPTABLES -A Cid44F49FF3.1   -d 192.168.0.0/16  -j DROP 
$IPTABLES -A Cid44F49FF3.1   -d 172.16.0.0/12  -j DROP 
echo "Rule 5 (tun0)"
# 
$IPTABLES -N Cid44F4A041.0
$IPTABLES -A INPUT  -i tun0  -s 192.168.182.0/24  -m state --state NEW  -j Cid44F4A041.0 
$IPTABLES -A Cid44F4A041.0  -p icmp  -m icmp  --icmp-type 8/0   -j ACCEPT 
$IPTABLES -A Cid44F4A041.0  -p tcp -m tcp  --dport 5222:5223  -j ACCEPT 
$IPTABLES -A Cid44F4A041.0  -p tcp -m tcp  -m multiport  --dports 22,80,443,5060,143,993,110,995,1812  -j ACCEPT 
$IPTABLES -A Cid44F4A041.0  -p udp -m udp  --dport 5000:5020  -j ACCEPT 
$IPTABLES -A Cid44F4A041.0  -p udp -m udp  --dport 8000:8020  -j ACCEPT 
$IPTABLES -A Cid44F4A041.0  -p udp -m udp  --dport 5060  -j ACCEPT 
$IPTABLES -N Cid44F4A041.1
$IPTABLES -A FORWARD  -i tun0  -s 192.168.182.0/24  -m state --state NEW  -j Cid44F4A041.1 
$IPTABLES -A Cid44F4A041.1  -p icmp  -m icmp  --icmp-type 8/0   -j ACCEPT 
$IPTABLES -A Cid44F4A041.1  -p tcp -m tcp  --dport 5222:5223  -j ACCEPT 
$IPTABLES -A Cid44F4A041.1  -p tcp -m tcp  -m multiport  --dports 22,80,443,5060,143,993,110,995,1812  -j ACCEPT 
$IPTABLES -A Cid44F4A041.1  -p udp -m udp  --dport 5000:5020  -j ACCEPT 
$IPTABLES -A Cid44F4A041.1  -p udp -m udp  --dport 8000:8020  -j ACCEPT 
$IPTABLES -A Cid44F4A041.1  -p udp -m udp  --dport 5060  -j ACCEPT 
echo "Rule 6 (tun0)"  From what I understand (again I don't know iptables at all)
rule 0: don't know (nat?)
rule 1:seems to be dhcp related
rule 2:accept all dns accesses (to the external router for example)
rule3:?
rule 4 and 5 is what you ask for.
rule 6: limits chillispot users ports usage.

I repeat, I haven't tested all this!!

The firewall script seems to be stored in the rc_firewall nvram variable.
But It will erased any time you change a firewall setting.

The other simple solution is to replace your external router by DD-WRT and have all your existing network connected to the dd-wrt lan ports.

[petdoctors]

Hi again,

I am on a steep learning curve with IPtables/chains etc. and would appreciate some help

With the GUI interface that's built into DD-WRT V23SP2 is it possible to set up a rule so that all wlan users cannot access IP addresses in the range 192.168.101.2 - 192.168.101.254 which is all the computers on our office LAN which is also the LAN hosting the ADSL gateway on 192.168.101.1?

Ta

[WorldSpot]

Not in the gui I think
need iptables for this.