iptables -nL | grep
If the IP is listed in your iptable rules then please delete it using the below commands.
iptables -L INPUT -n --line-numbers (List the rules with line numbers)
iptables -D INPUT <
Save the IP tables >>> /etc/init.d/iptables save
Restart the IP tables >>>> /etc/init.d/iptables restart
Other Features
Deny access to a specific IP address
iptables -I FORWARD -d 123.123.123.123 -j DROP
Deny access to a specific Subnet
iptables -I FORWARD -s 192.168.2.0/255.255.255.0 -j DROP
Deny access to a specific IP address range with Logging
iptables -I FORWARD -m iprange --src-range 192.168.1.10-192.168.1.13 -j logdrop
Deny access to a specific Outbound IP address with logging
iptables -I OUTPUT -d 239.255.255.250 -j logdrop
Block SMTP traffic except to specified hosts
/usr/sbin/iptables -I FORWARD 1 -p tcp -d safe.server1.com --dport 25 -j logaccept
/usr/sbin/iptables -I FORWARD 2 -p tcp -d safe.server2.com --dport 25 -j logaccept
/usr/sbin/iptables -I FORWARD 3 -p tcp --dport 25 -j logdrop
Block outgoing SMTP traffic except from specified hosts
iptables -I FORWARD 1 -p tcp -s 192.168.1.2 --dport 25 -j ACCEPT
iptables -I FORWARD 2 -p tcp -s 192.168.1.1/24 --dport 25 -j REJECT
Allow HTTP traffic only to specific domain(s)
iptables -I FORWARD 1 -p tcp -d dd-wrt.com --dport 80 -j ACCEPT
iptables -I FORWARD 2 -p tcp --dport 80 -j DROP
Block all traffic except HTTP HTTPS and FTP
iptables -I FORWARD 1 -p tcp -m multiport --dports 21,80,443 -j ACCEPT
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -j DROP
Port Forwarding to a specific LAN IP
Port Forwarding can be accomplished from within the web interface here. However, the very same thing can be done a bit differently (tested and working), via command line. --u3gyxap: Example with port 443 and IP 192.168.1.2
iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 443 -j DNAT --to 192.168.1.2:443
iptables -I FORWARD -p tcp -d 192.168.1.2 --dport 443 -j ACCEPT
If you want to restrict the source IP (a question that is asked a lot on the forums), add -s 123.45.67.89 to one of your rules (replacing the IP address with the real one of course).
iptables -t nat -I PREROUTING -p tcp -s 123.45.67.89 -d $(nvram get wan_ipaddr) --dport 443 -j DNAT --to 192.168.1.2:443
iptables -I FORWARD -p tcp -d 192.168.1.2 --dport 443 -j ACCEPT
This should make it so only one IP address is able to access your forwarded port from the Internet.
In order for me to get this to work (v.24) I needed to put the "-s 123.45.67.89" in the "iptables -I FORWARD" command also - When it was in the PREROUTING command only I was still able to access the internal resource from any IP address!
No comments:
Post a Comment