Menu
What's new
By:
Filters Better Search

IP Tables Help.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Gill

Gill

Occasional Visitor
Hey Guys,

I need help on Iptables as I am totally noob on this topic. What I am trying to do is to force the users to use specific DNS. For that purpse I enabled the ssh and logged into the router.

cd /jffs/scripts
vi firewall-start
and then pasted this script

#!/bin/sh

#block DNS
iptables -I FORWARD 7 -p udp -o eth0 -d 208.67.222.222 --dport 53 -j ACCEPT
iptables -I FORWARD 8 -p udp -o eth0 -d 208.67.220.220 --dport 53 -j ACCEPT
iptables -I FORWARD 9 -p udp -o eth0 --dport 53 -j DROP

<Esc Key>
:wq

Edit (Also performed chmod a+rx /jffs/scripts/firewall-start)

Restarted my router and it no internet. I was forcing those DNS through WAN page on gui. My questions are:
1) Can you please confirm if my steps are right.
2) How do i check if the script is running/working?
3) if I have to block certain IP blocks from country, As per wiki it says add the code to firewall-script. Should i just copy and paste it like that?

Thanks for the help!
 
Last edited:
If you look at what you have done with "iptables -nvL" I think you will see you have put the drop before the ACCEPTs.
The Web gui for DNSFILTER should do what you want in a much better way - diverting rather than blocking.
 
But Shouldn't the Accepts be there before the Explicit Deny. the way it would work is to allow traffic only to those 2 destined server and block others on port 53.

Any idea how to achieve this via web gui. I tried the parental controls option but that didn't seem to work. basically i don't want users to be entering their own DNS servers and surfing the web.
 
Gill said:
........

Any idea how to achieve this via web gui. I tried the parental controls option but that didn't seem to work. basically i don't want users to be entering their own DNS servers and surfing the web.
Click to expand...

You can try, in DNS Filtering under AI Protection, setting the global filtering to "No Filtering" and then setting Custom 1 to the DNS server you want, then listing each device in the table at the bottom and pointing each one to Custom 1. There seems to be a minor problem with the Global Filtering when set to anything other than No Filtering. This is so much easier than messing directly with IP Tables, especially for those of us who know little about it and who, by the smallest of errors, can end up seriously degrading the router's security.

If you try it, would you let us know if it's done what you wanted?
 
Yeah sure. I will give it a shot in the morning since I am working now and dont want to mess up my connection lol. I used to have DDwrt where firewall rules were so easier to create and edit..you just drop them in the box in gui.. prevents few steps..wonder if it can be implemented at some point in time in AsusWrt by Merlin.
 
Gill said:
Yeah sure. I will give it a shot in the morning since I am working now and dont want to mess up my connection lol. I used to have DDwrt where firewall rules were so easier to create and edit..you just drop them in the box in gui.. prevents few steps..wonder if it can be implemented at some point in time in AsusWrt by Merlin.
Click to expand...

DD-WRT supports maybe 4 or 5 script/custom config. I currently support *60* different user scripts and custom config files. I'm not gonna even try to handle that through a webui...

And what you are trying to do can fully be done using the webui-based DNSFilter anyway.
 
Yeah I totally get you as I like this firmware is easy in other ways like upgrading /downgrading and looks so close to asuswrt and I thank you for the support n time you provide. Yeah I am going to try to achieve that via webgui. I have couple questions regarding that if you can help answer those.

1) Will those filter rules via gui apply on clients connected through Guest Wireless connection.
2) Will the clients be able to configure their own server? or it would be like similar to IPtables.
 
Gill said:
Yeah I totally get you as I like this firmware is easy in other ways like upgrading /downgrading and looks so close to asuswrt and I thank you for the support n time you provide. Yeah I am going to try to achieve that via webgui. I have couple questions regarding that if you can help answer those.

1) Will those filter rules via gui apply on clients connected through Guest Wireless connection.
2) Will the clients be able to configure their own server? or it would be like similar to IPtables.
Click to expand...

1) Yes
2) No

What DNSFilter does is it flat outs redirect any DNS query from specific clients to the DNS you define on the DNSFilter page. So even if a client tries to change his DNS to anything he wanted, it will still be redirected. This is more efficient than the iptables method you wanted to use, which will only prevent them from using anything else - DNSFilter flats out redirects them.
 
nice makes sense. Going to do that right now. just got off from work. I wondered about the first one because I have one device that is connected to guest network but its MAC doesn't show up in the drop down box on DNS Filter page. thanks for your help.
 
Gill said:
nice makes sense. Going to do that right now. just got off from work. I wondered about the first one because I have one device that is connected to guest network but its MAC doesn't show up in the drop down box on DNS Filter page. thanks for your help.
Click to expand...

You might need to manually enter it.
 
Yup I can confirm that Its working fine via web gui.
1) I set up my WAN DNS to ISP's DNS
2) Set Global Mode to No Filter
3) Entered Custom1 and Custom 2
208.67.222.123
208.67.220.123
4) Manually Entered the MAC of my device which didn't appear in the list.
5) Tried static DNS 8.8.8.8 and it still redirected to opendns.

Thanks for your help guys!
 
Gill said:
Yup I can confirm that Its working fine via web gui.
1) I set up my WAN DNS to ISP's DNS
2) Set Global Mode to No Filter
3) Entered Custom1 and Custom 2
208.67.222.123
208.67.220.123
4) Manually Entered the MAC of my device which didn't appear in the list.
5) Tried static DNS 8.8.8.8 and it still redirected to opendns.

Thanks for your help guys!
Click to expand...

Excellent. And thanks for letting us know. As for DD-WRT, I'm positive you will never look back after now graduating to Asuswrt-Merlin.
 
You must log in or register to reply here.

Similar threads

R
Script to detect backup wan and disable certain devices from internet access
Replies
0
Views
361
RandomUser777
R
R
One router, two segments desired.
Replies
4
Views
443
Rombo
R
H
Solved Beginners firewall question.
Replies
6
Views
830
Henk-J
H
H
Port Forwarding Over WireGuard Connection?
2
Replies
22
Views
2K
houmi
houmi
G
VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN
Replies
4
Views
451
Grefyne
G
Similar threads
Thread starter Title Forum Replies Date
C Help about dual Gateway Asuswrt-Merlin 1
C Solved Need help with nat-start scripts Asuswrt-Merlin 3
G Need help with VPN Asuswrt-Merlin 2
P Help with traffic filtering Asuswrt-Merlin 0
C Need some help with a DHCP problem Asuswrt-Merlin 9
S Help Required AC68U (TM-AC1900) troubleshooting after power outage Asuswrt-Merlin 3
C Need help with GT-AXE11000 and DNS Director Asuswrt-Merlin 0
Spydawg need help with network loop. Asuswrt-Merlin 9
J Help - duckdns has started returning an IPv6 IP address Asuswrt-Merlin 1
A Help Required Upgrading AC68U from Stock FW to Merlin Please? Asuswrt-Merlin 15

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 727 (members: 40, guests: 687)
Top