HowTo-Block Outgoing Ports
From X-Wrt
Contents |
Introduction
Lubek was kind enough to help me with this, so I thought I would pass it along.
- The example below will block anything on your lan (from any computer) or from just one computer on UDP port 5121 from being sent outside.
- Substitute example port and protocol for your purposes.
- Please be careful editing your firewall! You risk cutting off access to the network or opening security holes.
How To
- Login to your router from the web with your favorite webrowser ( the default address is http://192.168.1.1 )
- Select the "System" tab then then "File Editor" sub tab.
- the file you want to edit is in /etc/firewall.user
- click the "Edit" button near the firewall.user file
- scroll to the end of this file and paste the following:
- for blocking from the entire LAN ("-i $LAN" part selects all interfaces on the LAN side)
iptables -A forwarding_rule -p udp -i $LAN --dport 5121 -j DROP
- if we are using wifi split from the bridge, we can add this rule:
[ -n "$WIFI" ] && iptables -A forwarding_rule -p udp -i $WIFI --dport 5121 -j DROP
- to block a port from one machine on the LAN (example is 192.168.1.101) from reaching outside the router:
iptables -A forwarding_rule -p udp -s 192.168.1.101 --dport 5121 -j DROP
- save changes
- apply changes
- Applying changes will autmatically restart the firewall service
Restarting firewall service via SSH
if you are editing the /etc/firewall.user from ssh you will have to restart the firewall manually:
- restart the firewall script
root@OpenWrt:$ /etc/init.d/S35firewall restart
- exit from shell
exit
