Block port externally only -- iptables?

[zoggy]

Using an ASUS RT-AC66U with merlin firmware 380.64_2

I want to lock down a port (3306) so its LAN only, drop it if it comes from outside the network.
I can't find an easy way to do this via the gui.. I do have DMZ enabled and set for a device.
I have a firewall-start script ( https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset ), I added the relevant rules and it works.. just curious if there is a better way of doing this?

iptables -I INPUT -p tcp --dport 3306 -s 192.168.0.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 3306 -s 127.0.0.0/8 -j ACCEPT
iptables -I INPUT -p tcp --dport 3306 -j DROP

 

[ColinTaylor]

I'm not sure I see what your problem is. Rule 9 in your example will drop all unsolicited incoming traffic so there is no need to add additional rules.

What am I missing?

Edit: You've removed the example output now.

 

[zoggy]

I updated my topic, I originally was adding the rules with -A which appended them.. which put them too low in the chain to matter. Using -I fixed that. But now I'm curious to find out if there isnt a gui method I'm just over looking.

 

[john9527]

Just a reminder, when adding rules with -I you need to add them in reverse order of how you want them processed as the command always put the rule at the top of the chain.

To do what you want, I think you should be able to use a single rule....
iptables -I INPUT -i eth0 -p tcp --dport 3306 -j DROP

No gui method I am aware of.

 

[zoggy]

Just a reminder, when adding rules with -I you need to add them in reverse order of how you want them processed as the command always put the rule at the top of the chain.

To do what you want, I think you should be able to use a single rule....
iptables -I INPUT -i eth0 -p tcp --dport 3306 -j DROP

No gui method I am aware of.

Thank you, I will try this when I get home in the morning.

 

[tomsk]

Just a reminder, when adding rules with -I you need to add them in reverse order of how you want them processed as the command always put the rule at the top of the chain.

To do what you want, I think you should be able to use a single rule....
iptables -I INPUT -i eth0 -p tcp --dport 3306 -j DROP

No gui method I am aware of.

This is one of those "small but important" nuggets of information that you wish you had known about when you first started out learning iptables....... i spent days trying to get a script to work before i came across that exact piece of information in a Linux Journal article... the light bulb came on and i went "Ooooooooooohhh".
As you can imagine, a lot of things suddenly became a whole lot easier after that.

 

[zoggy]

Using, "iptables -I INPUT -i eth0 -p tcp --dport 3306 -j DROP" looks like it does not work, can reach the port from outside the network...

:/jffs/scripts# iptables --line-numbers --list -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  any    any     anywhere             anywhere            set BlockedCountries src
2        0     0 DROP       tcp  --  eth0   any     anywhere             anywhere            tcp dpt:mysql
3        0     0 DROP       icmp --  eth0   any     anywhere             anywhere            icmp echo-request
4     4911 1384K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
5       65  2840 DROP       all  --  any    any     anywhere             anywhere            state INVALID
6     1513  266K ACCEPT     all  --  br0    any     anywhere             anywhere            state NEW
7     1114  231K ACCEPT     all  --  lo     any     anywhere             anywhere            state NEW
8        0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:bootps dpt:bootpc
9        0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp !echo-request
10       4   296 DROP       all  --  any    any     anywhere             anywhere

 

[john9527]

Try using the FORWARD chain instead (iptable -I FORWARD....) I wasn't sure how having a PC in the DMZ would work.

 

[zoggy]

Yep that works awesome,

iptables -I FORWARD -i eth0 -p tcp --dport 3306 -j DROP

I can see the hits now show up in the counters as well

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  any    any     anywhere             anywhere            set AssHats dst
2        9   456 DROP       all  --  any    any     anywhere             anywhere            set MicrosoftSpyServers dst
3        4   240 DROP       tcp  --  eth0   any     anywhere             anywhere            tcp dpt:mysql 
...