Monday, May 20, 2013

OpenWrt - restrict LuCI and ssh to a specific host

For security, I only ever want to connect to my OpenWrt router from a specific internal host.  Here is the firewall setup to accomplish that.

relevant part of /etc/config/firewall:

# Only allow 192.168.1.6 to access LuCI http
config 'rule'
        option '_name' 'Restrict-LuCI-http'
        option 'src' 'lan'
        option 'src_ip' !192.168.1.6
        option 'dest_ip' 192.168.1.1
        option 'dest_port' 80
        option 'proto' 'tcp'
        option 'target' 'REJECT'

# Only allow 192.168.1.6 to access LuCI https
config 'rule'
        option '_name' 'Restrict-LuCI-https'
        option 'src' 'lan'
        option 'src_ip' !192.168.1.6
        option 'dest_ip' 192.168.1.1
        option 'dest_port' 443
        option 'proto' 'tcp'
        option 'target' 'REJECT'

# Only allow 192.168.1.6 to access ssh
config 'rule'
        option '_name' 'Restrict-ssh'
        option 'src' 'lan'
        option 'src_ip' !192.168.1.6
        option 'dest_ip' 192.168.1.1
        option 'dest_port' 22
        option 'proto' 'tcp'
        option 'target' 'REJECT'

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)