0

A bit lost with ddwrt here... It's actually straight-up iptables but I can't figure it out. All I need to do is:

  1. Block ALL outgoing connections on ALL ports, except 80 and 443.
  2. Block ALL incoming connections -- nobody should be able to connect in.

Any help, links, or clues would be most appreciated. Thank you!

ezuk
  • 323
  • 2
  • 4
  • 11

1 Answers1

1

This does what you ask for, I assume you can connect via serial, or you will be effectively locking yourself out. Nobody can make incoming connections, not even you. I have set the FORWARD chain to DROP, change that to match your needs.


:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s $ip -p tcp -m multiport --dports 22,80,443 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -j DROP
COMMIT

Replace $ip with the source IP you will be connecting from. Of course, if you are working with zones, the configuration is totally different.

dawud
  • 15,096
  • 3
  • 42
  • 61
  • First of all, thank you! Second, is there a way to do this without locking myself out? Allow connection to the admin panel from a specific IP within the local subnet (192.168.0.16, say)? – ezuk May 02 '13 at 08:42
  • @ezuk I have added an `INPUT` rule to allow incoming traffic from a configurable source IP. – dawud May 02 '13 at 09:45
  • Not that much, there were two important rules missing, please check the last edition to the answer – dawud May 02 '13 at 14:17
  • And you probably want your router to `FORWARD` traffic – dawud May 02 '13 at 14:49