IP Tables Help.

[Gill]

Hey Guys,

I need help on Iptables as I am totally noob on this topic. What I am trying to do is to force the users to use specific DNS. For that purpse I enabled the ssh and logged into the router.

cd /jffs/scripts
vi firewall-start
and then pasted this script

#!/bin/sh

#block DNS
iptables -I FORWARD 7 -p udp -o eth0 -d 208.67.222.222 --dport 53 -j ACCEPT
iptables -I FORWARD 8 -p udp -o eth0 -d 208.67.220.220 --dport 53 -j ACCEPT
iptables -I FORWARD 9 -p udp -o eth0 --dport 53 -j DROP

<Esc Key>
:wq

Edit (Also performed chmod a+rx /jffs/scripts/firewall-start)

Restarted my router and it no internet. I was forcing those DNS through WAN page on gui. My questions are:
1) Can you please confirm if my steps are right.
2) How do i check if the script is running/working?
3) if I have to block certain IP blocks from country, As per wiki it says add the code to firewall-script. Should i just copy and paste it like that?

Thanks for the help!

 

[mstombs]

If you look at what you have done with "iptables -nvL" I think you will see you have put the drop before the ACCEPTs.
The Web gui for DNSFILTER should do what you want in a much better way - diverting rather than blocking.

 

[Gill]

But Shouldn't the Accepts be there before the Explicit Deny. the way it would work is to allow traffic only to those 2 destined server and block others on port 53.

Any idea how to achieve this via web gui. I tried the parental controls option but that didn't seem to work. basically i don't want users to be entering their own DNS servers and surfing the web.

 

[martinr]

........

Any idea how to achieve this via web gui. I tried the parental controls option but that didn't seem to work. basically i don't want users to be entering their own DNS servers and surfing the web.

You can try, in DNS Filtering under AI Protection, setting the global filtering to "No Filtering" and then setting Custom 1 to the DNS server you want, then listing each device in the table at the bottom and pointing each one to Custom 1. There seems to be a minor problem with the Global Filtering when set to anything other than No Filtering. This is so much easier than messing directly with IP Tables, especially for those of us who know little about it and who, by the smallest of errors, can end up seriously degrading the router's security.

If you try it, would you let us know if it's done what you wanted?

 

[Gill]

Yeah sure. I will give it a shot in the morning since I am working now and dont want to mess up my connection lol. I used to have DDwrt where firewall rules were so easier to create and edit..you just drop them in the box in gui.. prevents few steps..wonder if it can be implemented at some point in time in AsusWrt by Merlin.

 

[RMerlin]

Yeah sure. I will give it a shot in the morning since I am working now and dont want to mess up my connection lol. I used to have DDwrt where firewall rules were so easier to create and edit..you just drop them in the box in gui.. prevents few steps..wonder if it can be implemented at some point in time in AsusWrt by Merlin.

DD-WRT supports maybe 4 or 5 script/custom config. I currently support *60* different user scripts and custom config files. I'm not gonna even try to handle that through a webui...

And what you are trying to do can fully be done using the webui-based DNSFilter anyway.

 

[Gill]

Yeah I totally get you as I like this firmware is easy in other ways like upgrading /downgrading and looks so close to asuswrt and I thank you for the support n time you provide. Yeah I am going to try to achieve that via webgui. I have couple questions regarding that if you can help answer those.

1) Will those filter rules via gui apply on clients connected through Guest Wireless connection.
2) Will the clients be able to configure their own server? or it would be like similar to IPtables.

 

[RMerlin]

Yeah I totally get you as I like this firmware is easy in other ways like upgrading /downgrading and looks so close to asuswrt and I thank you for the support n time you provide. Yeah I am going to try to achieve that via webgui. I have couple questions regarding that if you can help answer those.

1) Will those filter rules via gui apply on clients connected through Guest Wireless connection.
2) Will the clients be able to configure their own server? or it would be like similar to IPtables.

1) Yes
2) No

What DNSFilter does is it flat outs redirect any DNS query from specific clients to the DNS you define on the DNSFilter page. So even if a client tries to change his DNS to anything he wanted, it will still be redirected. This is more efficient than the iptables method you wanted to use, which will only prevent them from using anything else - DNSFilter flats out redirects them.

 

[Gill]

nice makes sense. Going to do that right now. just got off from work. I wondered about the first one because I have one device that is connected to guest network but its MAC doesn't show up in the drop down box on DNS Filter page. thanks for your help.

 

[RMerlin]

nice makes sense. Going to do that right now. just got off from work. I wondered about the first one because I have one device that is connected to guest network but its MAC doesn't show up in the drop down box on DNS Filter page. thanks for your help.

You might need to manually enter it.

 

[Gill]

Yup I can confirm that Its working fine via web gui.
1) I set up my WAN DNS to ISP's DNS
2) Set Global Mode to No Filter
3) Entered Custom1 and Custom 2
208.67.222.123
208.67.220.123
4) Manually Entered the MAC of my device which didn't appear in the list.
5) Tried static DNS 8.8.8.8 and it still redirected to opendns.

Thanks for your help guys!

 

[martinr]

Yup I can confirm that Its working fine via web gui.
1) I set up my WAN DNS to ISP's DNS
2) Set Global Mode to No Filter
3) Entered Custom1 and Custom 2
208.67.222.123
208.67.220.123
4) Manually Entered the MAC of my device which didn't appear in the list.
5) Tried static DNS 8.8.8.8 and it still redirected to opendns.

Thanks for your help guys!

Excellent. And thanks for letting us know. As for DD-WRT, I'm positive you will never look back after now graduating to Asuswrt-Merlin.