IPTables broken on Kong build?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
imalilteapot
DD-WRT User


Joined: 19 Sep 2007
Posts: 66

PostPosted: Sat Aug 12, 2017 5:21    Post subject: IPTables broken on Kong build? Reply with quote
Router Model Netgear R8000
Firmware Version DD-WRT v3.0-r33010M kongac (08/08/17)
Kernel Version Linux 4.4.79 #419 SMP Tue Aug 8 00:12:53 CEST 2017 armv7l

I have a handful of IPTable rules, specifically ones that drop/block connections to various subnets. I also have a few rules that block access to certain IP addresses.

When I typed in IPTABLES -L and ran the command, I noticed none of the rules were listed.

When I tested an IP address that was on the block list, it was actually allowed.

I saved the IPTABLES in the Firewall script. I rebooted the router.

Examples:

iptables -I FORWARD -s x.x.x.x/23 -j DROP
iptables -A FORWARD -s x.x.x.x -j DROP

EDIT: I should add that what I'm trying to do is to prevent local machines from connecting to a specific IP address. I dont want any endpoint to be able to connect to an IP, nor do I want that IP to connect to me.
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6409
Location: UK, London, just across the river..

PostPosted: Sat Aug 12, 2017 6:51    Post subject: Reply with quote
iptables run only on WAN side you cannot perform LAN to LAN rules... also make sure your syntax is correct..
can you post output for iptables-vnL

iptables -I FORWARD -s x.x.x.x/24 -d 192.168.1.1/24 -j DROP
those are working for me even with source only its working..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
imalilteapot
DD-WRT User


Joined: 19 Sep 2007
Posts: 66

PostPosted: Sat Aug 12, 2017 15:02    Post subject: Reply with quote
This is going from internal to external
intranet to internet

I simply want to block all devices from accessing the external Ip
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Sat Aug 12, 2017 15:20    Post subject: Reply with quote
iptables -vnL instead of iptables -L ? Just as Alozaros said, that will give you all rules.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
imalilteapot
DD-WRT User


Joined: 19 Sep 2007
Posts: 66

PostPosted: Sat Aug 12, 2017 16:17    Post subject: Reply with quote
Here is the requested output

https://pastebin.com/k7GX6RRU
imalilteapot
DD-WRT User


Joined: 19 Sep 2007
Posts: 66

PostPosted: Sat Aug 12, 2017 16:27    Post subject: Reply with quote
To update the thread...

This rule does not work
iptables -I FORWARD -s 52.219.28.92 -j DROP

This rule works
iptables -I FORWARD -s 52.219.28.92 -d 192.168.1.1/24 -j DROP

Do I always have to include the -d (destination) address for all rules? Maybe this is why :)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Sun Aug 13, 2017 8:14    Post subject: Reply with quote
I think the source is where your connections starts.

iptables -I FORWARD -s 192.168.1.1/24 -j DROP
works in dropping everything coming from that source
and
iptables -I FORWARD -d 52.219.28.92 -j DROP
drops everything going to that address

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
imalilteapot
DD-WRT User


Joined: 19 Sep 2007
Posts: 66

PostPosted: Sun Aug 13, 2017 15:06    Post subject: Reply with quote
So if I dont want to allow the endpoint to contact the IP, AND I dont want the IP to contact the endpoint, how do I craft the rule?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6409
Location: UK, London, just across the river..

PostPosted: Tue Aug 15, 2017 7:31    Post subject: Reply with quote
i guess one rule each, as source and destination cannot be the same Razz
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum