FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
698 views 2 comments
by
Hello,
I would like to restrict WAN login to router by source IP (create whitelist).
Is there any other option than modification /etc/config/firewall to create rule with two or more different SourceIP?

GUI allows me to add one Source IP only.
How should Custom rule looks like to obtain two or more IP addresses allowed to communicate with the device.

The same question if for port forwarding, but there I can add duplicated rule with other IP (I do not want to use VPN, I need to create whitelist of the IP allowed to login to device and user forwarded ports).
Should I use full command in custom rules:
iptables --append INPUT --protocol tcp --src <source> --dst <destination> --jump DROP
or shorten:
--append INPUT --protocol tcp --src <source> --dst <destination> --jump DROP

the manual does not explain or show examples of custom rules.

1 Answer

0 votes
by anonymous
Hi Grzegorz,

It's possible to specify IP address range in firewall configuration to which rule would apply e.g 192.168.1.48/30 otherwise if IP addresses are not sequential it's needed to create separate firewall rules for each IP.

It's possible to create those rules either via WebUI, CLI(/etc/config/firewall) or write IP tables rules and put them into WebUI -> Network -> Firewall -> Custom rules page.

As RUT/TRB series devices use Linux IPtables firewall a lot of guides specifying the syntax can be found on the internet.

Full command should be specified, but options can be shorted e.g. instead of using --append you can use -A
by

The same you wrote in manual ... why doesn't Teltonika share even one example singed by company as working example?

For example when I add rule to custom rule via WebUI nad 'save'.

iptables --append INPUT --protocol tcp --src <specific_ip> --dport 80 --jump ACCEPT
iptables --append INPUT --protocol udp --src <specific_ip> --dport 80 --jump ACCEPT

I should be able to connect to device via port 80 only from <specific_ip>?
But still I can connect to router via port 80 from any other IP.

I used shorted version of parameters and reboot device but still custom rules with restriction to the device does not work for me
(device:  RUT9XX_R_00.06.05.3 )

by anonymous
It's because you're using --append option, this option inserts your firewall rule to the end of the firewall rules list.

Iptables works by reading rules from top to bottom, if a matching rule for a packet is found e.g. allow http from all IP's then it'll never reach your rule where you specify only one IP address.

To insert IPtables rule at the top of the list use -I(Insert)