For one of the tunnels I block access to all internal network and router itself, with
Code:
iptables -I FORWARD -s 10.4.2.0/24 -d 192.168.0.0/16 -m state --state NEW -j DROP
iptables -I FORWARD -s 10.4.2.0/24 -d 72.16.0.0/12 -m state --state NEW -j DROP
iptables -I FORWARD -s 10.4.2.0/24 -d 10.0.0.0/8 -m state --state NEW -j DROP
iptables -I INPUT -s 10.4.2.0/24 -m state --state NEW -j DROP
This was setup in June 2023 with latest firmware at that time (rules according to this forum) and was working perfectly.
However I noticed today that peers can access the internal network, as there would be no IPTABLES commands.
I have decided to reset router and set it up from scratch, as it was not done over last year, but it still does not work.
Furthermore, when I add another IPTABLES rule which enables port forwarding so WG peer can connect on other ports as well like 443, it does not work as well. But this rule was working fine few months ago.
That seems like IPTABLES commands are not working, whatever they are added to Firewall Commands or just run once.
Looks like entries are there. I have truncated for brevity once rules we talk about occured.
One more comment.
Flow Acceleration: DISABLED
Shortcut Forwarding Engine: DISABLED, however tried already with both SFE and CTE, no change.
I am testing if remote hosts are available with PING and accessing www site where available.
Code:
root@ddwrt:~# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- oet2 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:51811
0 0 ACCEPT all -- oet1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:51810
0 0 DROP all -- * * 10.4.2.0/24 0.0.0.0/0 state NEW
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- oet2 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- oet1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- * * 10.4.2.0/24 10.0.0.0/8 state NEW
0 0 DROP all -- * * 10.4.2.0/24 72.16.0.0/12 state NEW
0 0 DROP all -- * * 10.4.2.0/24 192.168.0.0/16 state NEW
0 0 DROP all -- wl0.1 * 0.0.0.0/0 192.168.153.0/24 state NEW