Phoenix3434
Jul 1st, 2012, 11:34 AM
Hey guys. I need some clarification from the following guide under the "Restricting Access" section:
http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs
I am just playing around with DD-WRT router to set up a guest network that is separate from the main network. I just entered the following commands from the full list below:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
I don't understand why I need the other commands.. For example: "Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)". What the heck does this mean. Could you guys please provide more details as to what each command does (as in elaborate on the "#" descriptions)? Having trouble understanding the purpose of each command based on the brief descriptions. My network knowledge is not really the best. Thanks.
#Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
#Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Restrict br1 from accessing br0 (do not use on WAP's)
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
#Restrict br0 from accessing br1
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
#Restrict br1 from accessing the WAN port (no internet access!)
iptables -I FORWARD -i br1 -o `get_wanface` -j DROP
#Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Restrict br1 from accessing the router's local sockets (software running on the router)
iptables -I INPUT -i br1 -m state --state NEW -j DROP
#Allow br1 to access DHCP on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
#Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs
I am just playing around with DD-WRT router to set up a guest network that is separate from the main network. I just entered the following commands from the full list below:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
I don't understand why I need the other commands.. For example: "Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)". What the heck does this mean. Could you guys please provide more details as to what each command does (as in elaborate on the "#" descriptions)? Having trouble understanding the purpose of each command based on the brief descriptions. My network knowledge is not really the best. Thanks.
#Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
#Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Restrict br1 from accessing br0 (do not use on WAP's)
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
#Restrict br0 from accessing br1
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
#Restrict br1 from accessing the WAN port (no internet access!)
iptables -I FORWARD -i br1 -o `get_wanface` -j DROP
#Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Restrict br1 from accessing the router's local sockets (software running on the router)
iptables -I INPUT -i br1 -m state --state NEW -j DROP
#Allow br1 to access DHCP on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
#Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT