Dd Wrt Iptv For Mac

DD-WRT branched off Sveasoft's work once they began to start charging for their firmware, releasing its first version in early 2005. Part of the name of that initial router, the WRT (Wireless Receiver/Transmitter) was merged with DD, the German automobile license plate code for Dresden, home of the project's founder BrainSlayer. Watch IPTV from your Internet service provider or free live TV channels from any other source in the web. Features: M3U and XSPF playlists support Playlists history Playing multicast streams with UDP proxy (proxy need to be installed in your LAN) Grid, list or tile view of TV channels EPG support in XMLTV and JTV formats Internal and external video players Parental control Additional features. Mar 07, 2019. Jan 21, 2020.

assign a IP address to specific MAC address?

DD-WRT Forum Forum Index ->General Questions
View previous topic :: View next topic
AuthorMessage
Vaako
DD-WRT User
Joined: 10 Jun 2009
Posts: 333

Posted: Sat Jul 11, 2009 1:00 Post subject: assign a IP address to specific MAC address?
Hi,
Is it possible in DD-WRT to assign a IP address to specific MAC address?
In the new D-Link routers they call it:
Add DHCP Reservation
This way some devices like NAS, FTP, Servers do have always the same IP address in the network.

_________________
Regards,
Vaako

1x Netgear R7800 Nighthawk - firmware not decided yet !!!!
1x Netgear R7000 Nighthawk r36410
1x Ubiquiti RouterStation Pro DD-WRT r23204 std (12/24/13)
1x Asus RT-N16 SVN revision 20675 NEWD-2 K2.6
1x Linksys E4200 v3.0 r34777 mega (01/31/18 )
1x Buffalo WZR-HP-G300NH B0 B0 Gargoyle FW
1x Linksys WRT600N v1.1 (Bricked)
1x Linksys WRT54GL v1.1 (DD-WRT 26446)
1x Linksys WRT54GS v2.2 (DD-WRT 26446)
1x Linksys RVS4000 (stock fw)
3x D-Link DWL-7100AP (openWRT)
2x TP-Link TL-WA801ND (Bridge mode) 100mW TX-Power
Asus WL-520GU SVN 16403M NEWD-2 Eko std-nokaid
4x Fonera with Gargoyle FW
Sponsor
<=' td='>
leolandeo
DD-WRT Novice
Joined: 30 Oct 2009
Posts: 8

Posted: Fri Nov 06, 2009 18:12 Post subject:
no funciona , en la pantalla de estado se identifica la mac y el ip ingresados pero si cambias en la pc el ip por cualquier otra sigues navegando normal , alguna configuracion para poder amarrar la mac a una ip ? , gracias
techtravis
DD-WRT Novice
Joined: 10 Aug 2009
Posts: 44
Location: Michigan, USA

Posted: Fri Nov 06, 2009 22:55 Post subject:
I just want to state something the WIKI does not.
The HOSTNAME does not have to match the hostname of the computer or device. The HOSTNAME is what will be displayed as the name in the active clients section.
Mac address should be formated as
00:00:00 ect not 00-00-00 or 00 00 00
If your are adding 5 clients...
Hit the add button 5 times, then enter in all the information. Click SAVE and then APPLY at the bottom of the page.
Also,make sure you have 'Use NVRAM for client lease DB' checked. Unless you have a JFFS2 mounted. Or the router will be unable to save the records.

_________________
EOC-5610 -dd-wrt soon....
WRT54g-tm -Mega Build
WRT350n -Mega Build, w/ ext antennas
GeeTek
DD-WRT Guru
Joined: 06 Jun 2006
Posts: 3768
Location: I'm the one on the plate.

Posted: Fri Nov 06, 2009 23:26 Post subject:
leolandeo wrote:
...pero si cambias en la pc el ip por cualquier otra sigues navegando normal...

Este pantalla partenese a la sistema de IP automatico. Nadian van a cambiar el PC.
leolandeo wrote:
..alguna configuracion para poder amarrar la mac a una ip ? , gracias

Por su puesto, pero es un otro cosa. Se llama ARP Binding. Que lastima, pero no se como hacer con DD-WRT.

_________________
http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
oldman23
DD-WRT Novice
Joined: 07 Nov 2009
Posts: 17

Posted: Mon Nov 09, 2009 8:01 Post subject:
techtravis wrote:

Also,make sure you have 'Use NVRAM for client lease DB' checked. Unless you have a JFFS2 mounted. Or the router will be unable to save the records.

Hmmm, that's odd. I have 13064 micro. nvram show indicates that my static leases are indeed being stored in nvram, even though I have that box unchecked.
Maybe for micro, leases are stored in nvram whether that box is checked or not, since there is no other possible storage facility?
leolandeo
DD-WRT Novice
Joined: 30 Oct 2009
Posts: 8

Posted: Tue Nov 10, 2009 2:59 Post subject:
thanks friend, now know the option to tie ip + mac, ddwrt pity that do not . there is another tomato firmware that if it does, have Compex wp188 and no suport tomato firmware ..I think ddwrt with arp binging + captive portal would be very good
. hope someday you have it , greetings
phuzi0n
DD-WRT Guru
Joined: 10 Oct 2006
Posts: 10143

Posted: Tue Nov 10, 2009 4:24 Post subject:
oldman23 wrote:
techtravis wrote:

Also,make sure you have 'Use NVRAM for client lease DB' checked. Unless you have a JFFS2 mounted. Or the router will be unable to save the records.

Hmmm, that's odd. I have 13064 micro. nvram show indicates that my static leases are indeed being stored in nvram, even though I have that box unchecked.
Maybe for micro, leases are stored in nvram whether that box is checked or not, since there is no other possible storage facility?

The static leases will be stored in nvram regardless of the setting. 'Use nvram for client lease DB' will save the dynamic allocated addresses into nvram so that the router won't forget about them and give the lease to someone else if the router reboots.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
DD-WRT Forum Forum Index ->General QuestionsAll times are GMT

Navigation

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

From DD-WRT Wiki

Jump to: navigation, search

English • Deutsch • Español • Français • Italiano • 日本語 • Polski • Português • Русский • Svenska • ‪中文(中国大陆)‬ • ‪中文(台灣)‬ •

You are here: DD-WRT wiki mainpage / Scripting / SSH/Telnet & The CLI / iptables

Iptables is a powerful administration tool for IPv4 packet filtering and NAT. It is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.

Iptables commands can be entered by command line interface, and/or saved as a Firewall script in the dd-wrt Administration panel. I tend to recommend testing and confirming your rules at the command line first. This way, if you happen to make a big mistake (like blocking access to the router), simply rebooting the router should repair it rather than having to do a hard reset. To get your rules to survive a reboot of the router, save them in a Firewall script as mentioned earlier.

I think we should have something about Firewall Builder on this page, since they're kind of related...

  • 5Tables, Chains, and Targets
  • 6Examples
  • 7Firewall Forwarded Ports

[edit]Basic Usage

[edit]Commands

[edit]Options

[edit]Interfaces

When using the -i or -o to define the physical interfaces, remember that by default:
vlan0 is the 4 LAN ports (K24 Only)
vlan1 is the WAN port (K24 Only) or the 4 LAN ports (K26 and K3.x) (ppp0 is the WAN interface when PPPoE is used)
vlan2 is the WAN port (K26 and K3.x)
eth1 is the WIFI
eth2-3 is the WIFI (Dual Radio routers)
br0 is a bridge connecting the 4 LAN and the WIFI together

Note: ppp0 is the WAN interface when PPPoE is used. It is also for PPTP VPN connections. This information is from IPv6 page and quoted here: 'The detailed configuration steps are targeted toward users with a basic DHCP connection for the WAN part. So, if using PPPoE will require replacing vlan1 with ppp0 in each instance. Other connection types will vary.'

Tip: To list the network interfaces on the router use 'ifconfig' on the command line.

[edit]Tables, Chains, and Targets

[edit]Tables

The main tables we are concerned with are the 'filter' table and the 'nat' table. To list the contents of either table, do

The filter table is default and this includes chains like INPUT, OUTPUT, and FORWARD. The nat table is for Network Address Translation and it includes the PREROUTING and POSTROUTING chains.

[edit]Chains

INPUT is for packets destined to or entering the router's local sockets.

OUTPUT is for packets sourced from or leaving the router's local sockets.

FORWARD is for packets being forwarded through the router (e.g. packets not necessarily destined for local sockets).

PREROUTING is for manipulating packets before they are routed.

POSTROUTING is for manipulating packets after they are routed.

[edit]Targets

ACCEPT - packets are accepted/allowed

DROP - packets are dropped/denied (Router does NOT send a response back)

REJECT - packets are rejected/denied (Router DOES send a response back)

logaccept - packets are accepted and logged to /tmp/var/log/messages

Dd Wrt Iptv For Mac

logdrop - packets are dropped and logged to /tmp/var/log/messages

logreject - packets are rejected and logged to /tmp/var/log/messages

DNAT is for altering packet's destination address.

SNAT is for altering packet's source address.

TRIGGER - dynamically redirect input ports based on output traffic (aka port triggering)

[edit]TRIGGER Target Options

Free

The trigger target has additional options which must appear immediately after it on the command line

[edit]Examples

I think examples are the best way to demonstrate the use of iptables. (Take note, chains are to be typed in caps as shown!)

[edit]Listing the rules in a chain

First I want to view the rules on my INPUT chain, this is the first chaintraffic coming into my router will hit.

You will find that it is really slow to list all many rules after you enter the above iptables command since it is doing reverse DNS lookups to convert IP addresses to host names. You can add -n option to only see numerical addresses. Note: '0.0.0.0/0' = 'anywhere' (any IP address), and '0' prot = 'any' protocol.

To get a more detailed list with actual IP numbers and packet counts for each rule do this.

Please always use -vnL when troubleshooting, especially if you're asking for help on the forums. Anything less hides valuable information and are only explained on this page for reference.

Suppose I might want to add a rule so that I can ssh into my router from a specifichost/address outside. Then I might type the following:

So I am saying: Append to the INPUT chain a rule allowing protocol tcp, with a source address of 123.45.67.89<my external IP that i want access from> traffic destined for port 22 on my router,jump to logaccept. I could have used -j ACCEPT which simply jumps to ACCEPT, but in this case I want to log it just to keep track so I use logaccept, which is a chain we have set up for this purpose.

Note: Simply adding a rule to the INPUT chain may be enough to allow remote SSH access from the WAN. However, if your router is still in NAT/Gateway mode and you wish to remap the SSH port to something less traditional on the WAN side (say port 2222), you may Insert a PREROUTING rule instead. This is actually how the GUI does it when you enable remote WAN SSH management.

Now if I type

I see my shiny new rule appended to the INPUT chain. However, this is no good because in my caseI have a rule blocking this traffic which occurs BEFORE the rule allowing it.

How do I change it? Simple.

First let's delete the rule we just made

will list the rules with their rule numbers. Let's say our rule is number 11

Clearly this Deletes rule number 11 from the input chain.

Now instead of Appending I am going to Insert my rule into the number 1 (by default) position.

So now rule number 1 is my new rule and the other rules have all shifted down a position.

If I wanted to change the IP address or any other aspect of my ssh rule I could usethe -R (Replace) option for a specific rule number, and simply type in the new rule, i.e.

This would replace rule number 1 on the INPUT chain with the new rule which has anew source IP address and jumps to ACCEPT instead of logaccept.

One more example: I want to run a mini web server on my router. Let's assume thatit is already running on port 8000 and I can access it from the LAN side, but notfrom the WAN side. With

the port 8000 will be opened. But I also have to setup NAT PREROUTING, so that thekernel forwards all packets on port 8000 from the outside to itself, 192.168.1.1:

[edit]Port Forwarding to a specific LAN IP

Port Forwarding can be accomplished from within the web interface here. However, the very same thing can be done a bit differently (tested and working), via command line. --u3gyxap: Example with port 443 and IP 192.168.1.2

If you want to restrict the source IP (a question that is asked a lot on the forums), add -s 123.45.67.89 to one of your rules (replacing the IP address with the real one of course).

This should make it so only one IP address is able to access your forwarded port from the Internet.

In order for me to get this to work (v.24) I needed to put the '-s 123.45.67.89' in the 'iptables -I FORWARD' command also - When it was in the PREROUTING command only I was still able to access the internal resource from any IP address!

[edit]Deny access to a specific IP address

Which would DROP all packets destined to the given IP. Useful to block access to whatnot. If you want to log the entry when the IP is blocked you would set the jump location to logdrop, instead of DROP.

[edit]Deny access to a specific Subnet

[edit]Deny access to a specific IP address range with Logging

Many builds do not have the iprange match but you can use clever subnet masks to accomplish something similar as well, if the range aligns well on subnet boundaries. You may also be able to download a version of iptables that includes the iprange match via Optware.

[edit]Deny access to a specific Outbound IP address with logging

This becomes useful if there is a program that wants to gain an outbound connection to a specific address, but you don't want to allow the connection. In this specific example Windows uses this IP incorrectly as a broadcast address (search Google for more info). While viewing your router logs you will see Windows broadcast to this IP several times per minute. By default the router passes the broadcast and announces to everyone outside of your router that your PC exists. This rule will block traffic to this specific outbound IP and add an entry into the router log.

Dd Wrt Iptv For Mac Download

edit: There is nothing incorrect about this. This is the service announcement/discovery multicast address used by SSDP. This is required to discover uPnP based devices in your network. If you drop these, your DLNA media servers, ushare, minidlna, PS3s, Xbox's etc will not see each other if they are across subnets. These packets have a TTL of 4, so won't get too far out of your network. 239.x.x.x is private IPv4 multicast range, so ISPs would drop this at their ingress points.

[edit]Block SMTP traffic except to specified hosts

Simple Mail Transfer Protocol operates on tcp port 25.

Which would accept and log all smtp traffic to safe.server1.com and safe.server2.com, while blocking and dropping all other outgoing smtp traffic.

[edit]Block outgoing SMTP traffic except from specified hosts

Simple Mail Transfer Protocol operates on tcp port 25.

Which would accept outgoing SMTP traffic from your internal SMTP server (192.168.1.2) but reject outgoing SMTP traffic from all other hosts on your LAN (192.168.1.1/24). Useful to enforce all your LAN clients to use your internal SMTP server, as well as to block any viruses and spam-generating trojans from sending mail to remote servers on their own.

Change 'REJECT' to 'logdrop' or 'ACCEPT' to 'logaccept' to add logging.

Caution! This will also block internal users from using your external IP as their SMTP server.

[edit]Allow HTTP traffic only to specific domain(s)

Similarly, we can use the above method to filter other ports and protocols as well, such as standard web traffic operating on tcp port 80.

Dd Wrt Iptv For Mac Free

Which would accept all http traffic to dd-wrt.com, while blocking outgoing http traffic to anywhere else. If you wish to allow multiple sites, insert additional rules before the DROP (making sure to order and number them correctly).

[edit]Block all traffic except HTTP HTTPS and FTP

This example blocks everything except our normal web traffic, encrypted (ssl), and the file transfer protocol.

Caution! Users are still able to get through the firewall if they are sly enough to use these permitted port numbers for their P2P or other application. In that case, you should consider using Access Restrictions to mitigate the possibility of that happening.

[edit]Reject clients from accessing the router's configuration

This should prevent clients on the LAN (interface br0) from accessing the configuration interface of the router through any of the following ports (telnet/23, ssh/22, http/80, https/443)

Tip: If you disable management from the LAN, be sure to enable remote management on the WAN (or vice versa) or you will probably lock yourself out of the router.

[edit]Restrict access by MAC address

In this example, we will demonstrate how to restrict access to the router's web interface by MAC address. In other words, only the computer having the specified MAC address should be able to access the web interface from the LAN.

First, if there are no Access Restrictions policies enabled and filtering by MAC addresses, you may need to insert the iptables mac module manually:

Notice the ! (bang) which is another new concept introduced here. It means 'NOT'. So, by inspecting the rule closely, we see that it will REJECT packets destined to port 80 of the router so long as they do NOT originate from our computer with the desired MAC address.

Caution! As usual when dealing with MAC addresses, be aware that it is possible for malicious user(s) to spoof their MAC address with that of a trusted machine. You can help combat this by use of static ARP entries, VLANs, etc.

[edit]Modifying the TTL

The Time To Live is the maximum number of routers a packet will travel through before it is discarded. In certain situations, it may prove useful to increase it (typically) in order to make your network more reliable.

  • Example 1: Set the incoming TTL to 10, before the router routes it into the LAN
  • Example 2: Set the outgoing TTL to 128, just as if a Windows machine was connected directly to the modem.
  • Example 3: Try to hide the fact that an outgoing packet was routed, by incrementing the TTL by one.

[edit]Firewall Forwarded Ports

If you have enabled SPI firewall feature on DD-WRT, your router is pretty much protected. However one practical use of iptables is protecting certain ports forwarded to internal IP addresses. The simplest way to do this is:

  • Create port forwarding to internal IP addresses using the DD-WRT 'Port Forwarding' web interface
  • Supplement those rules with custom iptables on the Firewall script found under Administration - Commands interface to restrict which hosts can access the ports involved

[edit]Port Forward Example

The current port forwarded setup via the web GUI will be used as the basis to illustrate some examples:

  • Application: ssh Port: 4022 Protocol: TCP forward to IP address: 192.168.1.5 Port: 22
  • Application: ftp Port: 21 Protocol: TCP forward to IP address: 192.168.1.6 Port: 21

The example here port forwards external IP on port 4022 to internal server 192.168.1.5:22 for ssh and external port 21 to internal server 192.168.1.6:21 for ftp.

[edit]Firewall Rule Examples

You may first want to limit your ssh port to script kiddies, and prevent brute force attack. Thus you can limit the number of NEW ssh connections to about 3 attempts per minute. Any further attempts to crack the ssh port will be dropped:

FTP access can also be limited to a certain network or network range in the following manner:

You can of course combine both, rate limit and IP addresses limiting. This following example limits ssh connection from 207.171.160.0/19 with the same rate limit applied, along with the FTP rules all on the same script:


For multiport INPUT (or FORWARD if you choose) rate limiting, the following syntax rules can be esstablshed:


Dd Wrt Iptv For Mac Os


To verify that the rules are working, open a terminal session and type iptables -vnL more


If you're adding a lot of rules, it helps to separate them with comments using the # prefix. You can of course use the basics of iptables explained in this article to make your rules more complex to suit your needs. However, instead of ordering the rules, the examples here merely insert these new ones on top of the FORWARD chain. This ensures that the firewall rules that limit traffic appear on top of the chain and gets applied first.

You may examine these rules on the router at anytime by accessing the router's command prompt and running the command 'iptables -vnL'

[edit]Logging

You can consider turning on logging temporarily for any of your rules. This is useful if you're testing new setup to confirm that the rules are doing what you intend to block or allow. First enable logging via the web UI at Security - Firewall tab. Then substitute the jump target or '-j' to a logging target for each of your iptables rule:

  • DROP with logdrop
  • REJECT with logreject
  • ACCEPT with logaccept

Example if you wanted to check and confirm if traffic forwarded to port 21 is correctly dropped you would substitute:

with

Logged data can be viewed on the web UI on the same page or on the command prompt in the file '/var/log/messages'

[edit]Firewall blocks DHCP renewal responses

The default configuration of the firewall blocks DHCP renewal responses which causes the router's DHCP client to request a new IP and for current connections to be dropped whether the address changes or not. ~phuzi0n Use this command to fix it. Replace ACCEPT with logaccept to verify it is functioning.

[edit]Caution

Adding iptables commands to your startup routine risks locking yourself out of the box with no option but to start over. If you are experimenting with new commands, you can insure yourself against this scenario by inserting a sleep command before the iptables command(s). This way you can grant yourself, say five minutes (sleep 300), before your commands take effect. If your commands do backfire and you are unable to log in to your box, simply restart it by switching it off and on again and you will have five minutes to get in.

An other way is to try the command with ssh (or GUI Command shell then click 'Run command'*): if your command doesn't touch nvram it won't survive a reboot, but it will allow an immediate addition/insertion of the new firewall rule for test. Check it immediately with

and see if it works as you think it would.

* Caution! In the GUI, echo $? always returns 0 whether the command succeeded or failed.

[edit]See Also

[edit]External Resources

Dd-wrt Iptv

Retrieved from 'http://wiki.dd-wrt.com/wiki/index.php/Iptables_command'