Posted: Thu Dec 01, 2016 0:48 Post subject: did I setup iptables correctly to block printer from interne
Hi did I setup my iptables correctly to block my printer from accessing the internet? Thanks. It did not seem to work, my printer was still able to access the internet
(HP test server).
BTW, next time when you post a picture, please limit the picture width to 800 pixels. It can easily be done by trimming the unnecessary background on the picture. Otherwise, others may not bother to read your post as the text are hard to read when you attached a large picture.
I have tried access restrictions, and that is the only thing that works.
But I did this to in part learn iptables, and really wanted the iptables to work out.
I added iptables exactly as described, by another member.
In the future I will crop my images to the correct size for others.
But What is wrong with my iptables as I have placed them in the firewall rules.?
First directive will send extra options tagged as "known" to machine with Ethernet address 11:22:33:44:55:66.
The other directive will ignore any clients which are not specified in dhcp-host lines. Equivalent to ISC "deny unknown-clients".
This relies on the special "known" tag which is set when a host is matched.
On linux (!) means NOT. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
The first command that you suggested did the trick very well, I set my printer to a static ip of 192.168.1.110
and used this on my WRT1900AC:
iptables -I FORWARD 1 -d (IP to Block) -j DROP
iptables -I OUTPUT 1 -d (IP to Block) -j DROP
>>RESULT: Gateway blocked + external ip blocked.WORKED!
When I used the access restriction on DD-WRT and entered my printer's mac address ;
>>RESULT : Gateway accessible , BUT external ip blocked.
This command at least on my router (WRT1900AC), did not yield result
iptables -A INPUT -i eth0 -s 192.168.1.10 -j DROP
iptables -A FORWARD -i eth0 -s 192.168.1.10 -j DROP
iptables -A FORWARD -o eth0 -s 192.168.1.10 -j DROP
>>RESULT : Did not work, printer (HP) corportate web server accesible.
Now on to my question about your other other command :
iptables -I INPUT -p tcp --dport 80 -m mac ! --mac-source 00:24:81:D7:26:B4 -j REJECT --reject-with tcp-reset
This suggests to me, that your are only rejecting requests coming from port 80 to a particular mac address? Is this correct? What if somebody from the
web access the printer aside from port 80 ? PS networking noob here.
BTW, when I try to setup and UBuntu printer driver, to make it print on my local network, this command, blocks all communication between my computer 's driver and the printer.
Anyone know why ? Shouldn't these commands only block outside (WAN) communication on to the lan?
iptables -I FORWARD 1 -d (IP to Block) -j DROP
iptables -I OUTPUT 1 -d (IP to Block) -j DROP
To block your printer from accessing the Internet on any port:
iptables -I FORWARD -s 192.168.1.110 -o `get_wanface` -m state --state NEW -j DROP
iptables -I FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -o `get_wanface` -m state --state NEW -j REJECT
whereas aa:bb:cc:dd:ee:ff is my printer mac address.
Would this discriminate by mac adress ? IS this the right syntax? I know I can do this by GUI, but I want to learn how to block mac adresses by mac, from the internet.