2

i m trying to open ports 5060 and 5004 (udp & tcp) for a specific internal ip (192.168.1.5) but i only want communication over these ports to be between specific external host(s) and deny everything else to this internal IP. i have tried various rules but they either seem to open port for any external source or block everything. Here is my -vL output

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
   19  2811 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 shlimit    tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh state NEW
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    3   156 ACCEPT     all  --  br0    any     anywhere             anywhere
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:bootps dpt:bootpc

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   14  3744            all  --  any    any     anywhere             anywhere            account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
    2   104 TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
   13  3692 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 wanin      all  --  vlan2  any     anywhere             anywhere
    1    52 wanout     all  --  any    vlan2   anywhere             anywhere
    1    52 ACCEPT     all  --  br0    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 18 packets, 9439 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain shlimit (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  any    any     anywhere             anywhere            recent: SET name: shlimit side: source
    0     0 DROP       all  --  any    any     anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  any    any     anywhere             --hidden--           tcp dpt:8082
    0     0 ACCEPT     udp  --  any    any     anywhere             --hidden--           udp dpt:8082
    0     0 ACCEPT     udp  --  any    any     anywhere             --hidden--            udp dpt:1194
    0     0 ACCEPT     tcp  --  any    any     anywhere             --DEVICE--        tcp multiport dports sip,5004
    0     0 ACCEPT     udp  --  any    any     anywhere             --DEVICE--         udp multiport dports sip,5004
    0     0 ACCEPT     tcp  --  any    any     anywhere             --hidden--             tcp dpts:domain:3074
    0     0 ACCEPT     udp  --  any    any     anywhere             --hidden--            udp dpts:domain:3074

Chain wanout (1 references)
 pkts bytes target     prot opt in     out     source               destination

**Device is what i want to change (192.168.1.5)

AtulBha
  • 21
  • 2

1 Answers1

1

dd-wrt and tomato are two different systems, which is it?

On the Tomato gui screen fill in the fields.

Proto: Both
Scr Address: 99.99.99.99 (The specific external host.)
Ext Ports: 5060
Int Port: 5060
Int Address: 192.168.1.5

Repeat the above steps for port 5004.

Repeat the above steps for additional Src Addresses.

http://www.wi-fiplanet.com/tutorials/article.php/3829536

Cronfused
  • 31
  • 2
  • I am using Tomato. I have tried this, however src address does not seem to have any effect, i can still access any other host and external host (not specified in src) can access my device – AtulBha Jan 13 '13 at 01:48