ACCEPT/DENY

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
Post Reply
thelawnet
Newbie
Newbie
Posts: 4
Joined: Wed Jun 09, 2010 11:49 pm

ACCEPT/DENY

Post by thelawnet » Wed Jan 25, 2012 2:52 pm

Hi,

I have a device behind my routertech router with IP addresss IP_1

I would like to block traffic from IP_1 to all IPs except for IP_2.

Is this possible?
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: ACCEPT/DENY

Post by thechief » Wed Jan 25, 2012 10:13 pm

Looks like an interesting problem. I am no networking expert, but it may be possible (if you are referring to LAN ip addresses) by having separate VLANs (if your router's switch is supported to that level - which would only point to a Marvell 88E6060 switch on "standard" firmwares). Otherwise, you may be able to achieve this with appropriate iptables commands (which I couldn't begin to speculate on).
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: ACCEPT/DENY

Post by thechief » Thu Jan 26, 2012 12:55 pm

thelawnet wrote:I would like to block traffic from IP_1 to all IPs except for IP_2.
Try this (from a telnet session) -

Code: Select all

iptables -A INPUT -p tcp -s $IP_1 -d ! $IP_2 -j REJECT
iptables -A FORWARD -p tcp -s $IP_1 -d ! $IP_2 -j REJECT
iptables -A OUTPUT -p tcp -s $IP_1 -d ! $IP_2 -j REJECT
Obviously you have to provide the correct ip addresses for IP_1 and IP_2.

PS: I am not sure that the 3rd iptables command (OUTPUT) is necessary (or desirable).
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: ACCEPT/DENY

Post by mstombs » Fri Jan 27, 2012 9:40 am

To back-up thechief, if both devices are are your LAN the router switch may connect them effectively in hardware, traffic won't touch the Linux kernel or iptables configured filtering rules. When devices are in the same LAN group (Wireless LAN to Ethernet LAN for example) there's also a software bridge which joins them requiring specific bridge filter rules so iptables also won't work. When separated into VLANs (LAN groups) on supported switches the connections are made by the Linux kernel so iptables filtering should apply.

Just the second FORWARD command should be enough, unless its the router itself you want to block - INPUT refers to connections to the router itself, such as web interface or other daemon services on the router. "-A" adds the rule to whatever is already there, to be sure your new block rule prevents something else ACCEPTing the connection first I suggest you try "-I" to insert the rule at the top.
Post Reply