YazFi Help with IPTables Script

[binky]

Hi, I'm trying to lock down my iptables rules and can't figure out the correct way to script this. In YazFi, I have two/one way to guest and client isolation turned off on all guest networks. I'm able to access a camera from guest network 1 2.4ghz on guest network 1 5ghz using a script with this:

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o w11.1 -s 192.168.3.29 -d 192.168.2.10 -j ACCEPT
iptables -I YazFiFORWARD -i w11.1 -o wl0.1 -s 192.168.2.10 -d 192.168.3.29 -j ACCEPT

I want to only allow access to port 9000 on the camera (192.168.3.29; guest network 1 2.4ghz) to a single IP (192.168.2.10; guest network 1 5ghz). I've tried several variations like this but none of them are working.

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o w11.1 -s 192.168.3.29 -d 192.168.2.10 -j ACCEPT
iptables -I YazFiFORWARD -i w11.1 -o wl0.1 -s 192.168.2.10 -d 192.168.3.29 -p tcp --dport 9000 -j ACCEPT

Reading on the forums, I found this. The only issue with this method is it opens it up to the entire guest network and I want to only allow access to a single IP address.

#!/bin/sh
HOST=192.168.3.29
PORTS=9000 ## list of space separated port numbers
PROTOCOL=tcp ## tcp or udp, depending upon needs

for guest in wl1.1 ; do
iptables -I YazFiFORWARD -i w10.1 -o $guest -s $HOST -j ACCEPT
for port in $PORTS ; do
iptables -I YazFiFORWARD -i $guest -o wl1.1 -p $PROTOCOL --dport $port -d $HOST -j ACCEPT
done
done

I'm a novice at Linux scripting so I may be missing something here. Is there a better way to do this?

 

[bennor]

From what I remember, not having touched the YazFi scripting in a while. Generally you will need to include both the source port (sport) and destination port (dport) if trying to allow port traffic flow to a specific YazFi Guest client. So as a guess (with no way to test at the moment) it might be something like this (or some variation of it):

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o w11.1 -s 192.168.3.29 -d 192.168.2.10 -p tcp --sport 9000 -j ACCEPT
iptables -I YazFiFORWARD -i w11.1 -o wl0.1 -s 192.168.2.10 -d 192.168.3.29 -p tcp --dport 9000 -j ACCEPT

The concept is to allow specific inbound and outbound port connections between the two specific IP addresses on their respective wireless networks in your instance.

 

[binky]

That worked. Thank you!