Menu
What's new
By:
Filters Better Search

Asus RT-AC3100, Merlin, how to use iptables to prevent access to port/ip

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

dogf

Occasional Visitor
Hi,

I am using RT-AC3100, Merlin 386_3_2. I want to use iptables to prevent some internal IP to access to some IP, ports. But it does not work.

The internal IP is: 192.168.1.110
I want to prevent it to access to any address, tcp/udp, port 5222, I use these commands:

iptables -A INPUT -p tcp --dport 5222 -s 192.168.1.110 -j DROP
iptables -A INPUT -p udp --dport 5222 -s 192.168.1.110 -j DROP

But it does not work. :(.

Please help.
 
In general, if you append (-A) rules, they will have NO EFFECT, since the INPUT (and FORWARD) chain ends w/ an unconditional DROP rule. Any rules placed after that rule will never be reached. You need to insert (-I) them instead.

Code: 
iptables -I INPUT -p tcp --dport 5222 -s 192.168.1.110 -j DROP
iptables -I INPUT -p udp --dport 5222 -s 192.168.1.110 -j DROP

So let's assume you corrected that problem.

This would prevent access to those protocols and ports for the router itself. But it would have NO EFFECT on other devices on the local network (i.e., the rest of 192.168.1.0/24). By definition, the INPUT chain alway refers to the router as its destination IP.
 
eibgrad said:
In general, if you append (-A) rules, they will have NO EFFECT, since the INPUT (and FORWARD) chain ends w/ an unconditional DROP rule. Any rules placed after that rule will never be reached. You need to insert (-I) them instead.

Code: 
iptables -I INPUT -p tcp --dport 5222 -s 192.168.1.110 -j DROP
iptables -I INPUT -p udp --dport 5222 -s 192.168.1.110 -j DROP

So let's assume you corrected that problem.

This would prevent access to those protocols and ports for the router itself. But it would have NO EFFECT on other devices on the local network (i.e., the rest of 192.168.1.0/24). By definition, the INPUT chain alway refers to the router as its destination IP.
Click to expand...
So please suggest a good approache. Thank you.
 
Are you trying to block access to these IPs/ports on the internet or your LAN?

If it's the internet you should use the Network Services Filter, that's what it's designed for.
 
dogf said:
I want to use iptables to prevent some internal IP to access to some IP, ports.
Click to expand...

Prevent 192.168.1.110 from accessing *what* IP(s)?? As written, it will prevent access to the router on those ports. But if it's meant to prevent access to other IPs as well, is that on the LAN and/or internet? If it's the LAN, you can't use the router's IP firewall to deny access between local devices since they are bridged. The router's IP firewall only comes into play when routing is required in order for the two devices to communicate, which most often means between the LAN and WAN (i.e., internet).
 
eibgrad said:
Prevent 192.168.1.110 from accessing *what* IP(s)?? As written, it will prevent access to the router on those ports. But if it's meant to prevent access to other IPs as well, is that on the LAN and/or internet? If it's the LAN, you can't use the router's IP firewall to deny access between local devices since they are bridged. The router's IP firewall only comes into play when routing is required in order for the two devices to communicate, which most often means between the LAN and WAN (i.e., internet).
Click to expand...
I believe that prevent access to any IP (empty) is similar to "0.0.0.0/0". iptables is smart enough
 
dogf said:
I believe that prevent access to any IP (empty) is similar to "0.0.0.0/0". iptables is smart enough
Click to expand...
No. That will only block access to either the router or the internet (depending on what chain you use), it cannot block access to other devices on the LAN.

You still haven't answered the question of *what* you are trying to block access to. The router, the internet or the LAN?
 
ColinTaylor said:
No. That will only block access to either the router or the internet (depending on what chain you use), it cannot block access to other devices on the LAN.

You still haven't answered the question of *what* you are trying to block access to. The router, the internet or the LAN?
Click to expand...
I want to block to the Internet.
 
You must log in or register to reply here.

Similar threads

T
Internet connection via ISP despite existing VPN connection in the Asus RT-AC 86U
Replies
5
Views
364
tom
T
F
Understanding IPTABLES - asus ROG ax6000
Replies
17
Views
859
ColinTaylor
C
PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
2
Views
1K
dacotmeister
D
Siff
Printing from Guest Network (ASUSWRT-Merlin 3004.388.8_2)
Replies
5
Views
581
Jherb
J
H
Solved Beginners firewall question.
Replies
6
Views
1K
Henk-J
H
Similar threads
Thread starter Title Forum Replies Date
L IPSec VPN Server with VNC connection causes ASUS RT-AC3100 to Reboot Asuswrt-Merlin 0
A Tailscale and Asus Merlin Router Asuswrt-Merlin 15
A Duckdns on Asus merlin router Asuswrt-Merlin 1
P Accessing remotly Server While Using VPN on Asus Router with Merlin Firmware Asuswrt-Merlin 9
M 802.1q VLAN tagging menu missing for WAN interface (Asus RT-AX86U Pro) Asuswrt-Merlin 4
N WiFi issues with latest version 388.8_2 on ASUS RT-AX88U Asuswrt-Merlin 7
B Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14 Asuswrt-Merlin 1
E Wireguard can't access devices behind asus router Asuswrt-Merlin 5
H Asus RT-AX58U v2 Merlin: Route all traffic to Pi-hole (running directly on router itself) Asuswrt-Merlin 12
J ASUS GT-AXE16000 CPU usage with VPN on lan machine Asuswrt-Merlin 25

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 762 (members: 29, guests: 733)
Top