linksys wrt54gl, tomato firmware, iptables problem denying access from ip2ip

sys7em · 04-26-2010, 11:09 AM

Hello all,

I have rather silly problem here. I have successfully flashed my brand new linksys wrt54gl router with the latest tomato firmware.

Now I need to make ips 192.168.1.2-192.168.1.99 to NOT have access to ips 192.168.1.100-192.168.1.199 on my local network. I know it's something with the FORWARD chain in the iptables rules, but I do not have the knowledge of iptables to make it yet.

Can someone help me out?

Something like that maybe?:

iptables -A FORWARD -s 192.168.1.2-192.168.1.99 -d 192.168.1.100-192.168.1.199 -j DROP

Thanks in advance.

SuperJediWombat! · 04-27-2010, 03:55 AM

You need the 'iprange' module for iptables.

Code:

iptables -A FORWARD -m iprange  --src-range 192.168.1.2-192.168.1.99  --dst-range 192.168.1.100-192.168.1.199 -j DROP
iptables -A FORWARD -m iprange  --src-range 192.168.1.100-192.168.1.199 --dst-range 192.168.1.2-192.168.1.99 -j DROP

SuperJediWombat! · 04-27-2010, 03:59 AM

Acctualy, I'm not sure if that will work on a WRT54G. I think that the 4 ethernet ports are actually on an internal switch. If that is the case then you will not be able to filter port to port packets as the traffic will not go through netfilter/iptables.

TimothyEBaldwin · 04-27-2010, 02:23 PM

The switch may get confused if you try software bridge the VLAN, it depends on if it has separate forwarding tables for each VLAN. That will also be slow.

WRT54Gs typically run Linux 2.4 due to the historic lack of an open source wifi driver, bridge netfilter support was introduced later. I believe the wifi driver bridges packet internally, so that would be another problem.

You should however be able to use it as a routing firewall.

Edit:Software bridging does in fact work on my WRT54GS v4, and wire to wire bridging firewall works, wireless to wireless fire-walling doesn't work in dd-wrt.