1. Dd Wrt Iptv For Mac Pro
2. Dd Wrt Iptv For Mac Download

From DD-WRT Wiki

1. Note: The term 'Filter' is erroneously labeled as 'Allow' in earlier versions of DD-WRT firmware. This is the main source of confusion when dealing with access restrictions in DD-WRT. See Eko's forum post for more information. The Filter option is used to block access to web sites, services, or keywords. However, it does not block internet.
2. In this little presentation I show you how I use DD-WRT on my old router for bandwidth shaping in my lab. Many times I have to run applications through 'slow.
3. Mar 07, 2019.

How to split tunnel on DD-WRT routers. Setting up OpenVPN and split tunneling on DD-WRT routers is tedious and tricky business, so if you want to go the router route then we recommend purchasing a subscription to ExpressVPN. With that, you can install the ExpressVPN custom router firmware, or buy a router with the firmware pre-installed.

You are here: DD-WRT wiki mainpage / Scripting / SSH/Telnet & The CLI / iptables

Iptables is a powerful administration tool for IPv4 packet filtering and NAT. It is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.

Iptables commands can be entered by command line interface, and/or saved as a Firewall script in the dd-wrt Administration panel. I tend to recommend testing and confirming your rules at the command line first. This way, if you happen to make a big mistake (like blocking access to the router), simply rebooting the router should repair it rather than having to do a hard reset. To get your rules to survive a reboot of the router, save them in a Firewall script as mentioned earlier.

I think we should have something about Firewall Builder on this page, since they're kind of related...

[edit]Basic Usage

[edit]Commands

[edit]Options

[edit]Interfaces

When using the -i or -o to define the physical interfaces, remember that by default:
vlan0 is the 4 LAN ports (K24 Only)
vlan1 is the WAN port (K24 Only) or the 4 LAN ports (K26 and K3.x) (ppp0 is the WAN interface when PPPoE is used)
vlan2 is the WAN port (K26 and K3.x)
eth1 is the WIFI
eth2-3 is the WIFI (Dual Radio routers)
br0 is a bridge connecting the 4 LAN and the WIFI together

Note: ppp0 is the WAN interface when PPPoE is used. It is also for PPTP VPN connections. This information is from IPv6 page and quoted here: 'The detailed configuration steps are targeted toward users with a basic DHCP connection for the WAN part. So, if using PPPoE will require replacing vlan1 with ppp0 in each instance. Other connection types will vary.'

Tip: To list the network interfaces on the router use 'ifconfig' on the command line.

[edit]Tables, Chains, and Targets

[edit]Tables

The main tables we are concerned with are the 'filter' table and the 'nat' table. To list the contents of either table, do

The filter table is default and this includes chains like INPUT, OUTPUT, and FORWARD. The nat table is for Network Address Translation and it includes the PREROUTING and POSTROUTING chains.

[edit]Chains

INPUT is for packets destined to or entering the router's local sockets.

OUTPUT is for packets sourced from or leaving the router's local sockets.

FORWARD is for packets being forwarded through the router (e.g. packets not necessarily destined for local sockets).

PREROUTING is for manipulating packets before they are routed.

POSTROUTING is for manipulating packets after they are routed.

[edit]Targets

ACCEPT - packets are accepted/allowed

DROP - packets are dropped/denied (Router does NOT send a response back)

REJECT - packets are rejected/denied (Router DOES send a response back)

logaccept - packets are accepted and logged to /tmp/var/log/messages

logdrop - packets are dropped and logged to /tmp/var/log/messages

logreject - packets are rejected and logged to /tmp/var/log/messages

DNAT is for altering packet's destination address.

SNAT is for altering packet's source address.

TRIGGER - dynamically redirect input ports based on output traffic (aka port triggering)

[edit]TRIGGER Target Options

The trigger target has additional options which must appear immediately after it on the command line

[edit]Examples

I think examples are the best way to demonstrate the use of iptables. (Take note, chains are to be typed in caps as shown!)

[edit]Listing the rules in a chain

First I want to view the rules on my INPUT chain, this is the first chaintraffic coming into my router will hit.

You will find that it is really slow to list all many rules after you enter the above iptables command since it is doing reverse DNS lookups to convert IP addresses to host names. You can add -n option to only see numerical addresses. Note: '0.0.0.0/0' = 'anywhere' (any IP address), and '0' prot = 'any' protocol.

To get a more detailed list with actual IP numbers and packet counts for each rule do this.

Please always use -vnL when troubleshooting, especially if you're asking for help on the forums. Anything less hides valuable information and are only explained on this page for reference.

Suppose I might want to add a rule so that I can ssh into my router from a specifichost/address outside. Then I might type the following:

So I am saying: Append to the INPUT chain a rule allowing protocol tcp, with a source address of 123.45.67.89<my external IP that i want access from> traffic destined for port 22 on my router,jump to logaccept. I could have used -j ACCEPT which simply jumps to ACCEPT, but in this case I want to log it just to keep track so I use logaccept, which is a chain we have set up for this purpose.

Note: Simply adding a rule to the INPUT chain may be enough to allow remote SSH access from the WAN. However, if your router is still in NAT/Gateway mode and you wish to remap the SSH port to something less traditional on the WAN side (say port 2222), you may Insert a PREROUTING rule instead. This is actually how the GUI does it when you enable remote WAN SSH management.

Now if I type

I see my shiny new rule appended to the INPUT chain. However, this is no good because in my caseI have a rule blocking this traffic which occurs BEFORE the rule allowing it.

How do I change it? Simple.

First let's delete the rule we just made

will list the rules with their rule numbers. Let's say our rule is number 11

Clearly this Deletes rule number 11 from the input chain.

Now instead of Appending I am going to Insert my rule into the number 1 (by default) position.

So now rule number 1 is my new rule and the other rules have all shifted down a position.

If I wanted to change the IP address or any other aspect of my ssh rule I could usethe -R (Replace) option for a specific rule number, and simply type in the new rule, i.e.

This would replace rule number 1 on the INPUT chain with the new rule which has anew source IP address and jumps to ACCEPT instead of logaccept.

One more example: I want to run a mini web server on my router. Let's assume thatit is already running on port 8000 and I can access it from the LAN side, but notfrom the WAN side. With

the port 8000 will be opened. But I also have to setup NAT PREROUTING, so that thekernel forwards all packets on port 8000 from the outside to itself, 192.168.1.1:

[edit]Port Forwarding to a specific LAN IP

Port Forwarding can be accomplished from within the web interface here. However, the very same thing can be done a bit differently (tested and working), via command line. --u3gyxap: Example with port 443 and IP 192.168.1.2

If you want to restrict the source IP (a question that is asked a lot on the forums), add -s 123.45.67.89 to one of your rules (replacing the IP address with the real one of course).

This should make it so only one IP address is able to access your forwarded port from the Internet.

In order for me to get this to work (v.24) I needed to put the '-s 123.45.67.89' in the 'iptables -I FORWARD' command also - When it was in the PREROUTING command only I was still able to access the internal resource from any IP address!

[edit]Deny access to a specific IP address

Which would DROP all packets destined to the given IP. Useful to block access to whatnot. If you want to log the entry when the IP is blocked you would set the jump location to logdrop, instead of DROP.

[edit]Deny access to a specific Subnet

[edit]Deny access to a specific IP address range with Logging

Many builds do not have the iprange match but you can use clever subnet masks to accomplish something similar as well, if the range aligns well on subnet boundaries. You may also be able to download a version of iptables that includes the iprange match via Optware.

[edit]Deny access to a specific Outbound IP address with logging

This becomes useful if there is a program that wants to gain an outbound connection to a specific address, but you don't want to allow the connection. In this specific example Windows uses this IP incorrectly as a broadcast address (search Google for more info). While viewing your router logs you will see Windows broadcast to this IP several times per minute. By default the router passes the broadcast and announces to everyone outside of your router that your PC exists. This rule will block traffic to this specific outbound IP and add an entry into the router log.

edit: There is nothing incorrect about this. This is the service announcement/discovery multicast address used by SSDP. This is required to discover uPnP based devices in your network. If you drop these, your DLNA media servers, ushare, minidlna, PS3s, Xbox's etc will not see each other if they are across subnets. These packets have a TTL of 4, so won't get too far out of your network. 239.x.x.x is private IPv4 multicast range, so ISPs would drop this at their ingress points.

[edit]Block SMTP traffic except to specified hosts

Simple Mail Transfer Protocol operates on tcp port 25.

Which would accept and log all smtp traffic to safe.server1.com and safe.server2.com, while blocking and dropping all other outgoing smtp traffic.

[edit]Block outgoing SMTP traffic except from specified hosts

Simple Mail Transfer Protocol operates on tcp port 25.

Which would accept outgoing SMTP traffic from your internal SMTP server (192.168.1.2) but reject outgoing SMTP traffic from all other hosts on your LAN (192.168.1.1/24). Useful to enforce all your LAN clients to use your internal SMTP server, as well as to block any viruses and spam-generating trojans from sending mail to remote servers on their own.

Change 'REJECT' to 'logdrop' or 'ACCEPT' to 'logaccept' to add logging.

Caution! This will also block internal users from using your external IP as their SMTP server.

[edit]Allow HTTP traffic only to specific domain(s)

Similarly, we can use the above method to filter other ports and protocols as well, such as standard web traffic operating on tcp port 80.

Which would accept all http traffic to dd-wrt.com, while blocking outgoing http traffic to anywhere else. If you wish to allow multiple sites, insert additional rules before the DROP (making sure to order and number them correctly).

[edit]Block all traffic except HTTP HTTPS and FTP

This example blocks everything except our normal web traffic, encrypted (ssl), and the file transfer protocol.

Caution! Users are still able to get through the firewall if they are sly enough to use these permitted port numbers for their P2P or other application. In that case, you should consider using Access Restrictions to mitigate the possibility of that happening.

[edit]Reject clients from accessing the router's configuration

This should prevent clients on the LAN (interface br0) from accessing the configuration interface of the router through any of the following ports (telnet/23, ssh/22, http/80, https/443)

Tip: If you disable management from the LAN, be sure to enable remote management on the WAN (or vice versa) or you will probably lock yourself out of the router.

Dd Wrt Iptv For Mac Pro

[edit]Restrict access by MAC address

In this example, we will demonstrate how to restrict access to the router's web interface by MAC address. In other words, only the computer having the specified MAC address should be able to access the web interface from the LAN.

First, if there are no Access Restrictions policies enabled and filtering by MAC addresses, you may need to insert the iptables mac module manually:

Notice the ! (bang) which is another new concept introduced here. It means 'NOT'. So, by inspecting the rule closely, we see that it will REJECT packets destined to port 80 of the router so long as they do NOT originate from our computer with the desired MAC address.

Caution! As usual when dealing with MAC addresses, be aware that it is possible for malicious user(s) to spoof their MAC address with that of a trusted machine. You can help combat this by use of static ARP entries, VLANs, etc.

[edit]Modifying the TTL

The Time To Live is the maximum number of routers a packet will travel through before it is discarded. In certain situations, it may prove useful to increase it (typically) in order to make your network more reliable.

• Example 1: Set the incoming TTL to 10, before the router routes it into the LAN

• Example 2: Set the outgoing TTL to 128, just as if a Windows machine was connected directly to the modem.

• Example 3: Try to hide the fact that an outgoing packet was routed, by incrementing the TTL by one.

[edit]Firewall Forwarded Ports

Dd Wrt Iptv For Mac Download

If you have enabled SPI firewall feature on DD-WRT, your router is pretty much protected. However one practical use of iptables is protecting certain ports forwarded to internal IP addresses. The simplest way to do this is:

• Create port forwarding to internal IP addresses using the DD-WRT 'Port Forwarding' web interface
• Supplement those rules with custom iptables on the Firewall script found under Administration - Commands interface to restrict which hosts can access the ports involved

[edit]Port Forward Example

The current port forwarded setup via the web GUI will be used as the basis to illustrate some examples:

• Application: ssh Port: 4022 Protocol: TCP forward to IP address: 192.168.1.5 Port: 22
• Application: ftp Port: 21 Protocol: TCP forward to IP address: 192.168.1.6 Port: 21

The example here port forwards external IP on port 4022 to internal server 192.168.1.5:22 for ssh and external port 21 to internal server 192.168.1.6:21 for ftp.

[edit]Firewall Rule Examples

You may first want to limit your ssh port to script kiddies, and prevent brute force attack. Thus you can limit the number of NEW ssh connections to about 3 attempts per minute. Any further attempts to crack the ssh port will be dropped:

FTP access can also be limited to a certain network or network range in the following manner:

You can of course combine both, rate limit and IP addresses limiting. This following example limits ssh connection from 207.171.160.0/19 with the same rate limit applied, along with the FTP rules all on the same script:

For multiport INPUT (or FORWARD if you choose) rate limiting, the following syntax rules can be esstablshed:

To verify that the rules are working, open a terminal session and type iptables -vnL more

If you're adding a lot of rules, it helps to separate them with comments using the # prefix. You can of course use the basics of iptables explained in this article to make your rules more complex to suit your needs. However, instead of ordering the rules, the examples here merely insert these new ones on top of the FORWARD chain. This ensures that the firewall rules that limit traffic appear on top of the chain and gets applied first.

You may examine these rules on the router at anytime by accessing the router's command prompt and running the command 'iptables -vnL'

[edit]Logging

You can consider turning on logging temporarily for any of your rules. This is useful if you're testing new setup to confirm that the rules are doing what you intend to block or allow. First enable logging via the web UI at Security - Firewall tab. Then substitute the jump target or '-j' to a logging target for each of your iptables rule:

• DROP with logdrop
• REJECT with logreject
• ACCEPT with logaccept

Example if you wanted to check and confirm if traffic forwarded to port 21 is correctly dropped you would substitute:

with

Logged data can be viewed on the web UI on the same page or on the command prompt in the file '/var/log/messages'

[edit]Firewall blocks DHCP renewal responses

The default configuration of the firewall blocks DHCP renewal responses which causes the router's DHCP client to request a new IP and for current connections to be dropped whether the address changes or not. ~phuzi0n Use this command to fix it. Replace ACCEPT with logaccept to verify it is functioning.

[edit]Caution

Adding iptables commands to your startup routine risks locking yourself out of the box with no option but to start over. If you are experimenting with new commands, you can insure yourself against this scenario by inserting a sleep command before the iptables command(s). This way you can grant yourself, say five minutes (sleep 300), before your commands take effect. If your commands do backfire and you are unable to log in to your box, simply restart it by switching it off and on again and you will have five minutes to get in.

An other way is to try the command with ssh (or GUI Command shell then click 'Run command'*): if your command doesn't touch nvram it won't survive a reboot, but it will allow an immediate addition/insertion of the new firewall rule for test. Check it immediately with

* Caution! In the GUI, echo $? always returns 0 whether the command succeeded or failed.

[edit]See Also

[edit]External Resources