DD-WRT :: View topic - IPTABLES does not work

IPTABLES does not work

DD-WRT Forum Index -> Advanced Networking

View previous topic :: View next topic

Author

Message

Megrez7
DD-WRT User

Joined: 25 Aug 2019
Posts: 92

Posted: Sat Jan 20, 2024 18:11 Post subject: IPTABLES does not work

Netgear R6400v2 running r54914. Regularly updating FM.
Pretty basic configuration, own domain, WIFI, 2 WireGuard tunnels.

For one of the tunnels I block access to all internal network and router itself, with

Code:

iptables -I FORWARD -s 10.4.2.0/24 -d 192.168.0.0/16 -m state --state NEW -j DROP
iptables -I FORWARD -s 10.4.2.0/24 -d 72.16.0.0/12 -m state --state NEW -j DROP
iptables -I FORWARD -s 10.4.2.0/24 -d 10.0.0.0/8 -m state --state NEW -j DROP
iptables -I INPUT -s 10.4.2.0/24 -m state --state NEW -j DROP

This was setup in June 2023 with latest firmware at that time (rules according to this forum) and was working perfectly.

However I noticed today that peers can access the internal network, as there would be no IPTABLES commands.

I have decided to reset router and set it up from scratch, as it was not done over last year, but it still does not work.

Furthermore, when I add another IPTABLES rule which enables port forwarding so WG peer can connect on other ports as well like 443, it does not work as well. But this rule was working fine few months ago.

That seems like IPTABLES commands are not working, whatever they are added to Firewall Commands or just run once.

Sponsor

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12923
Location: Netherlands

Posted: Sat Jan 20, 2024 18:16 Post subject:

You can view your iptables with
iptables -vnL FORWARD
iptables -vnL INPUT

Lets see the output
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Megrez7
DD-WRT User

Joined: 25 Aug 2019
Posts: 92

Posted: Sat Jan 20, 2024 18:40 Post subject:

Looks like entries are there. I have truncated for brevity once rules we talk about occured.

One more comment.
Flow Acceleration: DISABLED
Shortcut Forwarding Engine: DISABLED, however tried already with both SFE and CTE, no change.

I am testing if remote hosts are available with PING and accessing www site where available.

Code:

root@ddwrt:~# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- oet2 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:51811
0 0 ACCEPT all -- oet1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:51810
0 0 DROP all -- * * 10.4.2.0/24 0.0.0.0/0 state NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- oet2 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- oet1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- * * 10.4.2.0/24 10.0.0.0/8 state NEW
0 0 DROP all -- * * 10.4.2.0/24 72.16.0.0/12 state NEW
0 0 DROP all -- * * 10.4.2.0/24 192.168.0.0/16 state NEW
0 0 DROP all -- wl0.1 * 0.0.0.0/0 192.168.153.0/24 state NEW

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12923
Location: Netherlands

Posted: Sat Jan 20, 2024 18:58 Post subject:

Advanced settings, disable "Bypass LAN Same-Origin Policy"

In the firewall script add sleep 20 before the rules
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Last edited by egc on Sat Jan 20, 2024 19:14; edited 1 time in total

Megrez7
DD-WRT User

Joined: 25 Aug 2019
Posts: 92

Posted: Sat Jan 20, 2024 19:12 Post subject:
It was disabled by default after router Reset and still is. I did not touch it. Could it be it shows disabled but is enabled in fact? Shall I enable and re-disable then?

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12923
Location: Netherlands

Posted: Sat Jan 20, 2024 19:14 Post subject:

In the firewall script add sleep 20 before the rules
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Megrez7
DD-WRT User

Joined: 25 Aug 2019
Posts: 92

Posted: Sat Jan 20, 2024 19:37 Post subject:
Works! Can you please explain why that works after adding "wait 20"? And why it used to work without it in the past?

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

IPTABLES does not work

Quick Links

Log in