How to block webinterface of my asus with iptables [Archive]

Bekijk de volledige versie : How to block webinterface of my asus with iptables

wmzyk

31-08-2009, 23:44

Hi
My post-firewall file is simple so far

#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p udp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 12000 -j ACCEPT
iptables -A INPUT -p tcp --dport 6112 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6112 -j DNAT --to-destinati
iptables -A INPUT -j DROP

could anyone help me add a line which blocks webinterface from wireless clinets and only webinterface

wpte

01-09-2009, 09:12

You used the command already once: "DROP"
usually port 80 is the webinterface... not sure what you have

anyway, just put "DROP" instead of "ACCEPT" and you have the code:

iptables -A INPUT -p tcp --dport 80 -j DROP
easy:)

your iptables look good btw;)
however, these portforwards:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6112 -j DNAT --to-destinati
are usually not needed when the service already runs on the ip-adress needed

wmzyk

01-09-2009, 14:33

You missunderstood me :)

iptables -A INPUT -p tcp --dport 12000 -j ACCEPT
ssh dropbear

iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:81

this should allow access from wan to my webserwer placed on asus apache

iptables -A INPUT -p tcp --dport 6112 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6112 -j DNAT --to-destination 192.168.1.2:6112
Warcraft part :)

Now i need to drop connections made from WLAN to webinterface of asus (still on port 80) but ofc i want to allow surfing web on those ones

Putting

iptables -A INPUT -p tcp -i eth2 --doprt 80 -d 192.168.1.1 -j DROP

doesnt change anything

wmzyk

03-09-2009, 13:34

Really no one can help me ? :confused:

wpte

05-09-2009, 00:07

Really no one can help me ? :confused:

Basicly what you want is that people on the wireless lan can't connect to the webinterface?
I'm still a bit unsure if that's possible, I need to overthink this:p