Here’s the project:
\nSecure a wireless access point for vendors\/non-work-computers to use. Disallow access to anything that eats up bandwidth – it’s supposed to be a tool and not a play thing.<\/p>\n
Background:
\nA primary internet connection has 62 public IP addresses. One is pointed to a WRT54-G (v1) router. I installed dd-wrt (v24 preSP2 build 13064) and configured accordingly. I signed up for OpenDNS service to block all the “bad stuff”.<\/p>\n
Problem:
\nMerely putting in the DNS information into the DHCP server is not enough. Any savvy tech user can add their own DNS information into the equation and go from there. I needed a way to block DNS (port 53) on the router side of things so that no outside influences could bypass the security. DD-WRT was configured to block port 53, but that didn’t really work out too well. So I ended up adding my own iptable chain to the router not to block other DNS, but to force it to go through the router’s DNS. Makes things easier in the long run.<\/p>\n
Solution:<\/p>\n
Log into the router
\nClick on the Administration Tab
\nClick on the Commands Tab
\nIn the commands box, paste the following:
\niptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)<\/code>
\niptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)<\/code>
\nClick Save Firewall<\/p><\/blockquote>\nAfter it reboots, test it out. Use 4.2.2.2 as a test DNS server to verify. Awesome, I know.<\/p>\n
Security:
\nWRT54-G running DD-WRT with a non-standard password
\nSSID is not being broadcast
\nWPA2 Personal with AES Encryption
\nWRT54-G is connected to a portion of the main internet pipe on a public IP but is VLAN’d off from the rest of the network
\nDD-WRT admin access is not allowed over the WLAN
\nOpenDNS is blocking almost all access
\nDD-WRT does NOT allow connections before 7AM, after 7PM, or on weekends
\nI’m wearing pants<\/p>\nOK, had to lighten the mood a little bit. But that’s the gist of it.<\/p>\n","protected":false},"excerpt":{"rendered":"
Here’s the project: Secure a wireless access point for vendors\/non-work-computers to use. Disallow access to anything that eats up bandwidth – it’s supposed to be a tool and not a play thing. Background: A primary internet connection has 62 public IP addresses. One is pointed to a WRT54-G (v1) router. I installed dd-wrt (v24 preSP2 … Continue reading Block DNS DD-WRT<\/span>