blocking ALL but ONE port for a specific lan IP

[heliosone]

Hi everybody !

Im trying to use iptables to block all ports but one for a specific IP on my lan.
But I have no luck
Router : RT-N66U@MERLIN / 192.168.0.1
Device/IP : 192.168.0.133

The IP belongs to a central heating unit which runs a VNC server (@5900),and is able to be controlled via an APP.
As nice as it may be,to use the APP,I prefer the vnc option,and dont like having the unit always be connected to the companies cloud server,besides the connection has a data limit ,so its bad either way to be always connected.

Right now I use roboCFG to disable the physical ethernet port(and enabled/disable it as I need it via ssh),but thats not a real solution,as ,as soon as I enable the interface again,the unit phones home to the company server...
To be on the safe side,I also add /remove the virtual server route via ssh,so the vnc server is only reachable on the wan when I choose it to be.

SO what Im looking for is an iptables setting,that blocks ALL but ONE (5900) port for 192.168.0.133.
also I need a way to remove this total block via ssh at a later point.

BIG thanks ahead for help !!

 

[Xentrk]

Hi everybody !

Im trying to use iptables to block all ports but one for a specific IP on my lan.
But I have no luck
Router : RT-N66U@MERLIN / 192.168.0.1
Device/IP : 192.168.0.133

The IP belongs to a central heating unit which runs a VNC server (@5900),and is able to be controlled via an APP.
As nice as it may be,to use the APP,I prefer the vnc option,and dont like having the unit always be connected to the companies cloud server,besides the connection has a data limit ,so its bad either way to be always connected.

Right now I use roboCFG to disable the physical ethernet port(and enabled/disable it as I need it via ssh),but thats not a real solution,as ,as soon as I enable the interface again,the unit phones home to the company server...
To be on the safe side,I also add /remove the virtual server route via ssh,so the vnc server is only reachable on the wan when I choose it to be.

SO what Im looking for is an iptables setting,that blocks ALL but ONE (5900) port for 192.168.0.133.
also I need a way to remove this total block via ssh at a later point.

BIG thanks ahead for help !!

Would dropping the outbound packets to the WAN for the LAN client IP work for you rather than blocking a port?

 

[heliosone]

I guess that would do the trick as well,as the VNC connection is an incoming one only.

 

[Xentrk]

I guess that would do the trick as well,as the VNC connection is an incoming one only.

This will allow the device to still connect to the LAN but disable WAN Connection example

#!/bin/sh
# Drop WAN connection from PC Lab
iptables -I FORWARD -s 192.168.2.218 -j DROP

Delete the above rule and enable WAN connection

#!/bin/sh
# drop rule that blocked an incoming connection from PC Lab
iptables -D FORWARD -s 192.168.2.218 -j DROP

 

[heliosone]

I tried using your solution / the FORWARD Chain ,but this only works,if you dont need to access the vnc server from wan-side.
(which I desperately need ! )

A few tries later,I found the solution for my problem,and even learned a bit

iptables -I OUTPUT -d 192.168.0.133 -j DROP

Finally I understand -I vs -A ,as I tried above earlier,with no success,but I used -A ,so the new rule wasnt placed on top,but rather at the end...
Thanks for your help !!

 

[heliosone]

UPDATE ... " iptables -I OUTPUT -d 192.168.0.133 -j DROP" didnt work..
well it kinda worked.. I wasnt able to ping the router from the unit,so I thought DONE.. but it was still phoning home

so the FORWARD chain is the right way to go,but in order to reach the unit from the wan side,the vnc port must be excluded from the blocking rule.

iptables -I FORWARD -d 192.168.0.133 -j DROP
iptables -I FORWARD -s 192.168.0.133 -j DROP

above blocks traffic FROM and TO the unit (192.168.0.133)

and this forwards traffic on port 5900 TO and FROM the unit.

iptables -I FORWARD -p tcp -d 192.168.0.133 --dport 5900 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.0.133 --sport 5900 -j ACCEPT

at least thats how I understood it,and how it finally really works

iptables is still a bit of an ongoing project (to understand) for me ,so if there are better solutions.. please dont let me die stupid

 

[ColinTaylor]

I don't think you need to block both incoming and outgoing traffic, just one or the other will do.