PDA

View Full Version : True DMZ on Tomato WRT54GL Router


guytheninja
01-30-2010, 09:17 PM
I got true DMZ working on my Tomato Router. This website (http://www.seiichiro0185.org/doku.php/blog:creating_a_seperate_guest_network_with_tomato ) has instructions on how to accomplish this. I did make some changes though to the Administration/Scripts/Firewall section.


iptables -I INPUT -i vlan2 -p tcp --dport ssh -j DROP;
iptables -I INPUT -i vlan2 -p tcp --dport telnet -j DROP;
iptables -I INPUT -i vlan2 -p tcp --dport www -j DROP;
iptables -I INPUT -i vlan2 -p tcp --dport 53 -j DROP;
iptables -I INPUT -i vlan2 -p tcp --dport 5000 -j DROP;

iptables -I FORWARD -i br0 -o vlan2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT;
iptables -I FORWARD -i vlan2 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT;
iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT;
iptables -I FORWARD -i vlan1 -o vlan2 -m state --state ESTABLISHED,RELATED -j ACCEPT;


The first five commands prevent access from the DMZ computers to the router's services (including DNS, UPNP, telnet, ssh, and http admin). The second group of 4 commands allows access from the trusted "green" network to the dmz "orange" network, but it prevents access in the other direction. (This was mentioned in the comment section on that webpage by Richard).

Also, I left the dns/dhcp code out because I don't want that service available for the DMZ.

As far as I can tell, it works. The only drawback is that the realtime graph for vlan2 does not work, and I don't really know how to change that (or if it can be changed). However, that is small problem as far as I'm concerned.

Oh yea, and if you don't already know, this is not for the squeamish. You can possibly brick your router with this stuff.

Edit:
I forgot to mention that I used the following code in Administration/Scripts/Init instead of the webpage's code:

sleep 10;
ifconfig vlan2 10.0.0.1 netmask 255.255.255.0 up;