5/17/2023 0 Comments Webmon dns login![]() ![]() It's strange that there is no reference to the added rules although they are visible in the firewall script, isn't iptables -L -n -v -line-numbersĬhain INPUT (policy DROP 0 packets, 0 bytes) I probably should dig more here, but that's off topic. Note : the 5 last rules are port redirections for SIP although I believe redirecting 5060 might be enough. Target prot opt source for the lousy copy-paste job I'm currently on my iPad) RETURN all - anywhere anywhere LAYER7 l7proto ircĪll - anywhere anywhere recent: SET name: shlimit side: sourceĭROP all - anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: sourceĪCCEPT tcp - anywhere 192.168.0.10 tcp multiport dports sip:sip-tls,3478ĪCCEPT udp - anywhere 192.168.0.10 udp multiport dports sip:sip-tls,3478ĪCCEPT udp - anywhere 192.168.0.10 udp multiport dports 5004,10000,16ĪCCEPT tcp - anywhere 192.168.0.10 tcp dpt:5962ĪCCEPT udp - anywhere 192.168.0.10 udp dpt:5962 RETURN all - anywhere anywhere LAYER7 l7proto shoutcast RETURN all - anywhere anywhere LAYER7 l7proto rtmpt RETURN all - anywhere anywhere LAYER7 l7proto rtmp ![]() RETURN all - anywhere anywhere LAYER7 l7proto rtp RETURN all - anywhere anywhere LAYER7 l7proto httpvideo RETURN all - anywhere anywhere LAYER7 l7proto flash RETURN all - anywhere anywhere LAYER7 l7proto youtube-2012 RETURN all - anywhere anywhere LAYER7 l7proto skypetoskype TCPMSS tcp - anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU Shlimit tcp - anywhere anywhere tcp dpt:ssh state NEWĪCCEPT tcp - anywhere anywhere tcp dpt:webcacheĪCCEPT tcp - anywhere anywhere tcp dpt:1723Īll - anywhere anywhere account: network/netmask: 192.168.0.0/255.255.255.0 name: lanĪll - anywhere anywhere account: network/netmask: 192.168.192.0/255.255.255.0 name: lan1 Tomato v MIPSR2-108 K26 USB iptables -listĪCCEPT udp - anywhere anywhere multiport dports domain,bootpsĭROP all - anywhere anywhere state INVALIDĪCCEPT all - anywhere anywhere state RELATED,ESTABLISHED So a "backwards" order is the correct one in which to add new rules. As I recently learned in another thread, each time you Insert a rule it appears in the first line unless you specify otherwise. Oh, and lastly, the order you and I gave is correct. I think Tomato has trouble doing QOS on any thing but the main br0 VLAN, so you may need to make br0 your guest network. It would probably be a good idea to implement either a bandwidth throttle on the br1 network or some kind of QOS rule to prohibit transferring more than a few megabytes per connection. Note that a savvy torrenter can pretty easily get around this just by telling his torrent program to use port 80 or 443. The last three rules will cause the router to refuse to forward all UDP datagrams (very popular with torrenters) and reject all but http and https traffic. The first two rules refuse all connections to the router itself except for DHCP and DNS. I think that'll work but haven't tried it myself. Iptables -I FORWARDING -i br1 -p tcp -m multiport -dports 80,443 -j ACCEPT Iptables -I FORWARDING -i br1 -p tcp -j REJECT -reject-with tcp-reset Iptables -I FORWARDING -i br1 -p udp -j DROP Iptables -I INPUT -i br1 -p udp -m multiport -dports 53,67 -j ACCEPT ![]()
0 Comments
Leave a Reply. |