I want to restrict a LAN client so it can only communicate with a single IP address, a list of IPs, or a subnet on the Internet. I see Tomato allows all kinds of access restrictions, e.g. blocking out Internet sites, but can I *allow* only one, a few, or a subnet of IPs? I'm on Asus RT-N16 with Tomato Firmware v1.28.9054 MIPSR2-beta K26 USB vpn3.6. Thanks! jxf011
Date: 19 Oct 2012 18:16
Number of posts: 6
RSS: New posts
From the Access Restriction GUI, you can block from specific IP/MAC to a list of specific IPs (or one IP). You can probably block a subnet also assuming you use the right syntax (my assumption).
Worst case if, you do it by command line.
I want to block all *except* for an IP, a list of IPs, or a subnet for a particular client. Put another way, I want an explicit allow list, not a restrict list.
Is there a way to do that with the Access Restriction page or at the command line?
got it. sorry for the confusion.
Take a look at this?
Ahh, iptables is my answer, thanks. Other than general Googling, what the best place for iptables help on a rule to lock a non-routable client IP to an Internet subnet or list of Internet IPs? Also, once I have my iptables rule(s), do I put them in Administration » Scripts? Do I use Init, Firewall, or WAN Up. Thanks again.
After a good bit of reading the iptables man pages and doing testing I have a working solution.
The goal here is to cut off network access for a LAN computer running a VPN behind a router in case the VPN client crashes. I think there are at least 2 programs ($) to do this and there's a trick with the Windows 7 firewall that works too. Of course I have WinXP!
So the code below on my Tomato USB Asus RT-N16 works like a charm. You can extend it to a LAN computer with more than 2 interfaces, to more than 1 LAN computer and to more than 2 VPN IP addresses. And doing it with MAC addresses was a cinch once I read enough.
Lastly, if you're dedugging the solution, you can change DROP to logdrop *and* enable logging in Tomato:
Status - Logs - Logging Configuration - Connection Logging - Inbound/Outbound
To get this to work across reboots, add this to Administration - Scripts - Firewall in Tomato USB.
Please comment if this looks wrong or could be improved. Thanks!
#START # # This allows a computer with 2 interfaces (e.g. wired and radio) to only communicate with 2 external IP address for a VPN provider (could be any external IP) # If the VPN client on the computer fails, no traffic will go in or out # #[computername-interface1] [mac-interface1] [ip-interface1] allow ONLY vpn.provider.com(x) IPs iptables -I FORWARD 1 -m mac --mac-source [mac-interface1] -d [ip-vpn.provider.com(ip1)] -j ACCEPT iptables -I FORWARD 2 -m mac --mac-source [mac-interface1] -d [ip-vpn.provider.com(ip2)] -j ACCEPT iptables -I FORWARD 3 -m mac --mac-source [mac-interface1] -j DROP # #[computername-interface2] [mac-interface2] [ip-interface2] allow ONLY vpn.provider.com(x) IPs iptables -I FORWARD 4 -m mac --mac-source [mac-interface2] -d [ip-vpn.provider.com(ip1)] -j ACCEPT iptables -I FORWARD 5 -m mac --mac-source [mac-interface2] -d [ip-vpn.provider.com(ip2)] -j ACCEPT iptables -I FORWARD 6 -m mac --mac-source [mac-interface2] -j DROP # #END