[Nottingham] iptables arguments

[Jason Irwin]

Yesterday whilst arguing with the VPN, I discovered that whilst people on
guest WiFi had no LAN access (intentional) they had unfettered access to
the router admin, ssh etc. YIKES!
So I went and checked the iptables rules. I'll be the first to admit that I
struggle with networking, but I now have things fixed and am really
confused as to what the problem was and why the fix works!

Old rules, sourced from
http://www.alexlaird.com/2013/03/dd-wrt-guest-wireless/ :
    iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with
tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with
tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with
tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with
tcp-reset
To my basic understanding these say "Anything coming in from br1 (guest
WiFi) on those four ports, tell it where to go in no uncertain terms.
Implicitly everything else is OK".
Yet jumping on to the router's web admin page was permitted. Whut?

New rules, sourced from
http://www.stevejenkins.com/blog/2013/01/use-dd-wrt-to-create-a-guest-wifi-network-and-block-skype/
:
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
    iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
    iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
This to me says "Deny everything from br1 that's going to the router,
expect DHCP and DNS". Only confusion I have with these is the order,
shouldn't the "DROP" be the last entry?

What am I missing/totally failing to understand here?

I've got a few other questions, but I think they're best left until I've
fried a few more neurons reading docs and can ask better questions at a LUG
meet.

J.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20141126/7fb513a2/attachment.html>