IP tables confusion

splatee · Feb 11, 2016

Hello i am having a bit of a hard time understanding how to use ip tables in RMerlin firmware. I have read through the info and it seems like i have to telnet into the router to run them? I have used DDWRT and it has just built in command line that you can save them to the firewall.

Here is what i am trying to do. I am trying to save the following as a "firewall" rule to block certain youtube servers that are slow.

iptables -I FORWARD -s 173.194.55.0/24 -j REJECT
iptables -I FORWARD -s 206.111.0.0/16 -j REJECT

On DDWRT i would just save those to the firewall rules in the command run window on the firmware. I am not sure how to do this in RMerlin.

Thank you

martinr · Feb 11, 2016

To enhance security, the facility to enter commands via the web gui was removed a while ago. As you say. you need to use telnet or ssh.

Can't help with IP tables, I'm afraid.

ColinTaylor · Feb 11, 2016

You need to create a "firewall-start" script which contains those lines. See https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

splatee · Feb 11, 2016

ColinTaylor said:
You need to create a "firewall-start" script which contains those lines. See https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

Thanks for the info but i am still unclear on how to implement the firewall script. I telnet into router but from there i get lost on how to start firewall and how to load the script. Sorry

ColinTaylor · Feb 11, 2016

What is your current skill level with a Linux command line environment? Do you know how to edit files using "vi"?

Depending on your answer different approaches can be taken.

splatee · Feb 11, 2016

ColinTaylor said:
What is your current skill level with a Linux command line environment? Do you know how to edit files using "vi"?

Depending on your answer different approaches can be taken.

Unfortuantley I am not very skilled in Linux

ColinTaylor · Feb 11, 2016

If you are a Windows user I would suggested that you 1) enable SSH access to the router, and then b) install WinSCP.

Using WinSCP log onto the router and navigate to the /jffs/scripts directory. Right click in that directory and choose New File. Create a new file called firewall-start with the following lines:

Code:

#!/bin/sh

iptables -I FORWARD -s 173.194.55.0/24 -j REJECT
iptables -I FORWARD -s 206.111.0.0/16 -j REJECT

Save the file and then change its properties to 0755.

Reboot and you're done.

splatee · Feb 11, 2016

ColinTaylor said:
If you are a Windows user I would suggested that you 1) enable SSH access to the router, and then b) install WinSCP.

Using WinSCP log onto the router and navigate to the /jffs/scripts directory. Right click in that directory and choose New File. Create a new file called firewall-start with the following lines:

Code:

#!/bin/sh iptables -I FORWARD -s 173.194.55.0/24 -j REJECT iptables -I FORWARD -s 206.111.0.0/16 -j REJECT

Save the file and then change its properties to 0755.

Reboot and you're done.

Yes i am using windows. Ok i will go ahead and try that. Thank you

ColinTaylor · Feb 11, 2016

P.S. I forgot to say, when configuring the WinSCP connection choose protocol SCP.

splatee · Feb 11, 2016

ColinTaylor said:
P.S. I forgot to say, when configuring the WinSCP connection choose protocol SCP.

Seems to be working. Thank you for your help.

martinr · Feb 12, 2016

ColinTaylor said:
If you are a Windows user I would suggested that you 1) enable SSH access to the router, and then b) install WinSCP.

Using WinSCP log onto the router and navigate to the /jffs/scripts directory. Right click in that directory and choose New File. Create a new file called firewall-start with the following lines:

Code:

#!/bin/sh iptables -I FORWARD -s 173.194.55.0/24 -j REJECT iptables -I FORWARD -s 206.111.0.0/16 -j REJECT

Save the file and then change its properties to 0755.

Reboot and you're done.

Reject rather than Drop because that's how it was presented in post #1? Or would there be a good reason to prefer Reject over Drop in this application?

ColinTaylor · Feb 12, 2016

martinr said:
Reject rather than Drop because that's how it was presented in post #1? Or would there be a good reason to prefer Reject over Drop in this application?

Yes, that's exactly what I thought at first. That it would be better to use DROP, but then I googled those specific IP addresses. It turns out to be something to do with speeding up YouTube videos, not blocking hackers. So perhaps in this case REJECT is the required response.

RMerlin · Feb 12, 2016

Imagine someone asks you something, and you don't want to do it. You can:

a) not answer, and let the person wait, until she gets tired and leaves.
b) answer immediately "No, I won't do it".

a) is a DROP, b) is a REJECT. First one makes the person stay around, possibly ask you again in case you didn't hear him the first time, but she won't be sure that you are there or not. Second one is an immediate rejection, which means he can immediately go away, or he can stay and keep asking.

bayern1975 · Jun 18, 2016

with firewall enabled nobody have access to my udpxy outside my home network...but i would like add iptables rule in firewall-start script for one client....for example client from ip range 169.0.0.0/16 may access to my udpxy server with destinaton port 1234....what is working rule?

sent from Kodi 17 Krypton

sfx2000 · Jun 18, 2016

bayern1975 said:
with firewall enabled nobody have access to my udpxy outside my home network..

Should note that never assume someone can't get in - your steps are good, but never assume.

bayern1975 · Jun 19, 2016

sfx2000 said:
Should note that never assume someone can't get in - your steps are good, but never assume.

I know but like to see if there working solution in my case.....

sent from Kodi 17 Krypton

bayern1975 · Jun 20, 2016

what is wrong with this rule? this rule should block all incoming connections to port 1234 except host with IP address 77.66.55.44....? but i test it and do not working...

Code:

iptables -A INPUT -p tcp -s 77.66.55.44 --dport 1234 -j ACCEPT
iptables -A INPUT -p tcp --dport 1234 -j REJECT

ColinTaylor · Jun 20, 2016

bayern1975 said:
what is wrong with this rule?

That's impossible to say without knowing what the other rules of the INPUT chain are. But if I had to guess I'd say it's because you are adding (-A) the rules to the end of the chain, whereas you probably need to insert (-I) them at the beginning.

bayern1975 · Jun 20, 2016

ColinTaylor said:
That's impossible to say without knowing what the other rules of the INPUT chain are. But if I had to guess I'd say it's because you are adding (-A) the rules to the end of the chain, whereas you probably need to insert (-I) them at the beginning.

do you have working solution for my case?

sent from Kodi 17 Krypton

ColinTaylor · Jun 20, 2016

bayern1975 said:
do you have working solution for my case?

Have you tried doing what I suggested?

IP tables confusion

Occasional Visitor

Part of the Furniture

Part of the Furniture

Occasional Visitor

Part of the Furniture

Occasional Visitor

Part of the Furniture

Occasional Visitor

Part of the Furniture

Occasional Visitor

Part of the Furniture

Part of the Furniture

Asuswrt-Merlin dev

Very Senior Member

Part of the Furniture

Very Senior Member

Very Senior Member

Part of the Furniture

Very Senior Member

Part of the Furniture

Similar threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest