How to block everything except one Port from the internet?

[Einar]

Hi there,

I am running Merlin Firmware 378.53, I would like to block one PC from the internet except port 443.
I am not sure how to do this. Any recommendations are welcome.

Cheers

 

[Einar]

So far I tried :
source IP 10.0.1.4 Port Range 1:442 Destination IP (left blank) Port 1:442 TCP ALL

I did the same for UDP

But it is not working, I have ohter devices where I blocked all Ports and that is working.

 

[ColinTaylor]

I presume you're talking about the Network Services Filter?

Are you creating a blacklist or a whitelist?

Update: Just re-read your post and you're using a blacklist.

Try using TCP instead of TCP ALL.

 

[Einar]

Yes its the Network Service Filter, I am creating a black list

 

[ColinTaylor]

Try using TCP instead of TCP ALL.

 

[ColinTaylor]

Also, source port range should be blank.

 

[Einar]

I tried that, and updated the router to the latest Firmware .55, it is still not working.
The computer is a VM but this should not make any difference.

 

[ColinTaylor]

The computer is a VM but this should not make any difference.

That depends on how your VM has its network interface defined.

You are trying to block 10.0.1.4 which makes me think that the VM's NIC is NAT'ed onto your real LAN (typically 192.168.1.x). If this is the case then the blocking won't work because the router will be seeing a NAT'ed 192 address, not your virtual 10 address.

 

[Einar]

Thanks for the answer, after some googling this seems to be the reason why it is not working.

It is configured as a bridged network interface, the host is in the same network it has the ip 10.0.1.22, the VM needs to be accessible from the lan.

I think I have to get a second network interface for the host and tell the VM to brigde with that interface and set the Network Services Filter for that new ip address.

 

[ASAT]

The WebUI will create iptables rules, like this. Drop all non-TCP. And then drop all TCP that is not port 443.

iptables -I FORWARD -s 10.0.1.22 -p tcp ! --dport 443 -j DROP
iptables -I FORWARD -s 10.0.1.22 ! -p tcp -j DROP

How to undo it:

iptables -D FORWARD -s 10.0.1.22 -p tcp ! --dport 443 -j DROP
iptables -D FORWARD -s 10.0.1.22 ! -p tcp -j DROP

To see what iptables rules the WebUI is actually creating, type the following shell command into a SSH or telnet session:

iptables -L -n

I think the VM needs an IP on the router LAN. So you may need to give it one.

 

[ColinTaylor]

OK Einar. Let us know how you get on.

It is configured as a bridged network interface, the host is in the same network it has the ip 10.0.1.22, the VM needs to be accessible from the lan.

I would have thought this would have worked as it is bridged. It might be worth testing the network services filter against a physical PC on your network just to confirm the problem is with the VM and not the filter rules.

 

[ColinTaylor]

Hi Einar.

Just to follow up. I've just tried setting this up on my network and it works fine.

I have a VM running under VirtualBox with its network adapter set as "Bridged Adapter". It has an IP address of 192.168.1.208 (my LAN is 192.168.1.x).

In network services filter I have 2 rules as follows:

Source IP = 192.168.1.208
Destination Port Range = 1:442
Protocol = TCP

Source IP = 192.168.1.208
Destination Port Range = 444:65535
Protocol = TCP

Edit: Just to be sure I've just tried the same thing with a machine running under VMware (Network Adapter = Bridged (Automatic)) and that works fine as well.

 

[Einar]

I tried ASAT's tip and it is working fine.

That is my iptables -L -n output, when I was trying with the WebUI:

DROP tcp -- 10.0.1.4 0.0.0.0/0 tcp dpts:444:65535

DROP tcp -- 10.0.1.4 0.0.0.0/0 tcp dpts:1:442

and that's the output when I insert the rules manual:

DROP !tcp -- 10.0.1.4 0.0.0.0/0

DROP tcp -- 10.0.1.4 0.0.0.0/0 tcp dpt:!443

I tried it before like you did Colin, but without success, may be you can show me you iptables -L -n output to compare it with mine.

Now I have to add these two rules to a start up script, so they will be preserved after a reboot.
I think I have seen a documentation for this in the readme.

Thanks for your help guys!

 

[ColinTaylor]

I tried it before like you did Colin, but without success, may be you can show me you iptables -L -n output to compare it with mine.

Here's my output from "iptables -L -n -v".

Note the "-v" option which shows interface information as well, otherwise the output can be confusing. I've separated out the 3 lines that the GUI added.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state INVALID
18002   12M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 DROP       tcp  --  br0    eth0    192.168.1.208        0.0.0.0/0           tcp dpts:1:442
    0     0 DROP       tcp  --  br0    eth0    192.168.1.208        0.0.0.0/0           tcp dpts:444:65535

   42  2116 ACCEPT     all  --  br0    eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0