iptables not blocking multicast from specific ip range

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
visx
DD-WRT Novice


Joined: 21 Jul 2015
Posts: 2
PostPosted: Tue Jul 21, 2015 15:37    Post subject: iptables not blocking multicast from specific ip range Reply with quote
Hello,

I want to block all multicast traffic from a specific ip range coming in through one of my LAN ports.

I've tried the following iptables, but it doesn't block the traffic:

commands:
iptables -I INPUT -s 225.0.0.0/16 -j DROP
iptables -I INPUT -d 225.0.0.0/16 -j DROP

result:
DD-WRT:~# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP 0 -- anywhere 225.0.0.0/16
DROP 0 -- 225.0.0.0/16 anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTAB LISHED
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
DROP icmp -- anywhere anywhere
DROP igmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
logaccept 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere


When i use wireshark to track the traffic through the LAN, i'm still receiving IPV4 traffic with a destination of 225.0.x.x

What is going wrong? Do I have to use a different command for multicast traffic?

By the way, I don't want to block ALL multicast...just ones going to 225.0.x.x
Back to top View user's profile Send private message
Sponsor
visx
DD-WRT Novice


Joined: 21 Jul 2015
Posts: 2
PostPosted: Tue Jul 21, 2015 18:35    Post subject: Reply with quote
ok, i was at least able to block the 225.0.x.x traffic from my wireless interface by doing the following

Code:

insmod ebtables
insmod ebtable_filter
insmod ebt_pkttype
ebtables -I FORWARD -p IPv4 -o vlan1 --pkttype-type multicast --ip-dst 225.0.0.0/16 -j DROP


This essentially blocks it from going across the LAN-WLAN bridge.


My LAN ports are still being flooded though...Anyone know how to filter this for the LAN ports?
Back to top View user's profile Send private message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6868
Location: Romerike, Norway
PostPosted: Wed Jul 22, 2015 6:38    Post subject: Reply with quote
Have you tried with an igmpproxy.conf file?

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=264294
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum