What's new

Asus RT-AC68U Traffic Blocking Question specific IP and VPN on top of that

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

interesting only firewall start is running the other one doesn't run. I wonder what I Did wrong
 

Attachments

  • fw_start.png
    fw_start.png
    76.3 KB · Views: 128
Lastly I combined all the rules together into 1 file the firewall one and they seem to work but something is still not right as i can ping cnn.com

Any ideas what else it can be.

Thanks for your time Dave
 

Attachments

  • lastpic.png
    lastpic.png
    184.3 KB · Views: 187
  • lastpic_2.png
    lastpic_2.png
    106.8 KB · Views: 137
I [re]combined all the rules together into 1 file the firewall one and they seem to work
Abject apologies :oops:

I was overzealous in splitting the original firewall-start functionality into the correct separate logical scripts

i.e. the firewall may be (re)started at anytime (meaning that the firewall-start script may be executed several times), so it would be prudent to move the creation of the IPSET to init-start which only fires once.
However, init-start executes before the WAN is up, so at this point (if the dnsmasq 'ipset=' directive isn't used) then extracting the IP's associated with a domain will obviously fail. :rolleyes:

NOTE: Ideally, you would periodically save the contents of IPSET Valid_VPN_IP to a disk accessible to the router (such as Entware's /opt file-system), and simply restore it during the boot process in say script post-mount.

(I have updated the scripts in post #10)

but something is still not right as i can ping cnn.com
Currently 192.168.1.26 (only if forced through the VPN) should only be able to open in a web browser 'snbforums.com' or 'reddit.com'?

Regardless if 192.168.1.26 can PING 'cnn.com' , can 192.168.1.26 actually open 'cnn.com' in a browser?

You should provide the output (enclosed in code tags) from the following diagnostic/debugging commands
Code:
iptables  --line  -t filter -nvL FORWARD

iptables  --line  -t mangle -nvL PREROUTING

ip rule

grep Valid_VPN_IP /etc/dnsmasq.conf

grep Valid_VPN_IP /jffs/configs/dnsmasq.conf.add

ipset list Valid_VPN_IP
 
Last edited:
Martineau,

Image attached.

Here is where I am confused.

If i remove the following lines from firewall-start (which I would like to do)
Code:
VPN_ID=1                      # VPN Client 3
VPN_FWMARK="0x1000/0x1000"    # 0x1000=VPN 1, 0x2000=VPN 2, 0x4000=VPN 1, 0x4000=VPN 3,

IPSET_NAME="Valid_VPN_IP"

iptables -t mangle -D PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK 2>/dev/null
iptables -t mangle -A PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK

Does that mean "I" would define when the traffic woud route through the vpn not the rules?

Also if i am able to actually ping cnn.com, does that mean the device can send data to cnn.com (or any other domain) via a API request instead of standard TCP request for port 80, but I just wouldn't see it but the data would be being sent.

Im sorry for all these questions but I just wanted to do this right.
 

Attachments

  • 117_730am.png
    117_730am.png
    158.6 KB · Views: 173
Martineau,

Image attached.

When supplying command output, don't use an image, simply copy and paste the relevant text from the terminal into dialog box

upload_2019-11-17_12-48-0.png


allowing members to construct a relevant reply by only copying the relevant text.
Here is where I am confused.

If i remove the following lines from firewall-start (which I would like to do)
Code:
VPN_ID=1                      # VPN Client 3
VPN_FWMARK="0x1000/0x1000"    # 0x1000=VPN 1, 0x2000=VPN 2, 0x4000=VPN 1, 0x4000=VPN 3,

IPSET_NAME="Valid_VPN_IP"

iptables -t mangle -D PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK 2>/dev/null
iptables -t mangle -A PREROUTING -s $IPADDR -i br0 -m set --match-set $IPSET_NAME dst -j MARK --set-mark $VPN_FWMARK

Does that mean "I" would define when the traffic woud route through the vpn not the rules?

The rules would only apply if the original criteria you want are still a requirement, so you would only need to remove the rules if you change your mind as is your prerogative.

Also if i am able to actually ping cnn.com, does that mean the device can send data to cnn.com (or any other domain) via a API request instead of standard TCP request for port 80, but I just wouldn't see it but the data would be being sent.
The PING protocol icmptype 8/0 is not the same as TCP 80/443 and in some rules need to be explicitly specified, but the blocking rules I provided defaults to ALL protocols.

However,
1. 192.168.1.26 is not forced through an ACTIVE VPN so is using the WAN, since you have not enabled a VPN KILL-switch.
2. There are no firewall BLOCKING rules for 192.168.1.26 to restrict access to domains thru VPNs

So basically what do you expect? :rolleyes:
 
Last edited:
Martineau,

What rules Do I need to write so be it through VPN or not through VPN to only allow specific websites.

to enable this comment
2. There are no firewall BLOCKING rules for 192.168.1.26 to restrict access to domains thru VPNs
Here are my current files

dnsmasq.conf.add
EMPTY

firewall-start
Code:
#!/bin/sh

IPADDR=192.168.2.26

IPSET_NAME="Valid_VPN_IP"


iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT

init-start
Code:
#!/bin/sh

modprobe -sv xt_comment.ko

IPSET_NAME="Valid_VPN_IP"

ipset create $IPSET_NAME hash:net comment 2>/dev/null

wan-start
Code:
#!/bin/sh

# These are optional, but if the doamins are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)
for IP in $(nslookup "snbforums.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment snbforums.com;done;
for IP in $(nslookup "speedtest.net" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment speedtest.net;done;
for IP in $(nslookup "whatismyipaddress.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment whatismyipaddress.com;done;

Also I don't think the wan-start section works as dnsmasq is empty
 
Last edited:
Martineau,

What rules Do I need to write so be it through VPN or not through VPN to only allow specific websites

If you want to apply the domain restriction to a specific LAN device for ANY interface them omit the VPN '-o tun1+' parameter.

firewall-start
Code:
#!/bin/sh

IPADDR=192.168.2.26

IPSET_NAME="Valid_VPN_IP"

logger -st "($(basename $0))" $$ "Creating IPSET '$IPSET_NAME' rules"
# Prevent duplicates but can leave firewall exposed...
iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o eth0 -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o eth0 -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED" 2>/dev/null

POS=$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))

# Rather than block ALL interfaces, apply rules to WAN (eth0) interface only
iptables -I FORWARD $POS -s $IPADDR -i br0 -o eth0 -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED"
iptables -I FORWARD $POS -s $IPADDR -i br0 -o eth0 -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED"
iptables -I FORWARD $POS -s $IPADDR -i br0 -o eth0 -p icmp -m icmp --icmp-type 8 -j REJECT -m comment --comment "NoPING"
iptables -I FORWARD $POS -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT
Also I don't think the wan-start section works as dnsmasq is empty

As shown in post #10 you have to execute the command to populate 'dnsmasq.conf.add' ONLY once as this file is permanent and its contents are preserved over a reboot - hence it is illogical to keep appending the same line at the end of the file at every boot/WAN start.
 
Last edited:
Martineau,

I followed all your steps and can't seem to figure out for the life of me what is still wrong. I updated the firewall file from the newest post above and made the other 2 files in step 10 as well as previously writing the
Code:
echo "ipset=/www.siteiwanttoallow.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
2 times one for cnn.com and one for snbforums.com

I then hardcoded my IP to be 192.168.2.26/255.255.255.0/192.168.2.1 and dns of 192.168.2.1

I then tried pinging foxnews.com and was able to connect via chrome as well as reddit.com and was able to connect via chrome.

I even did a ipconfig /flushdns and rebooted.

Is there anything else I am missing?

I appreciate you spending your time to help me with this.

P.S. here are my most recent logs from my last reboot is it weird that firewall start runs 2x.

Code:
Nov 18 01:00:10 ntpd: Initial clock set
Nov 18 01:00:10 rc_service: ntpd_synced 620:notify_rc restart_diskmon
Nov 18 01:00:10 disk_monitor: Finish
Nov 18 01:00:12 disk_monitor: be idle
Nov 18 01:00:30 kernel: SHN Release Version: 2.0.1 890c91d
Nov 18 01:00:30 kernel: UDB Core Version: 0.2.18
Nov 18 01:00:30 kernel: sizeof forward pkt param = 192
Nov 18 01:00:30 BWDPI: fun bitmap = 3
Nov 18 01:00:34 rc_service: udhcpc 462:notify_rc start_firewall
Nov 18 01:00:36 dhcp_client: bound 192.168.1.4 via 192.168.1.1 during 86400 seconds.
Nov 18 01:00:36 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Nov 18 01:00:37 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Nov 18 01:00:42 crond[245]: time disparity of 809335 minutes detected
Nov 18 01:01:06 rc_service: amas_lib 364:notify_rc restart_firewall
Nov 18 01:01:07 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Nov 18 01:01:08 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
 
Is it weird that firewall start runs 2x
It's not weird - simply working as designed.

The firmware may execute the firewall-start/nat-start scripts multiple times whenever it needs to (i.e. after a WAN start event), hence we explicitly accommodate this and ensure duplicate rules etc. are not added by our custom code.
I followed all your steps and can't seem to figure out for the life of me what is still wrong.
I have updated the list of diagnostic/debugging commands in post #23, so you will need to provide the output of those commands when things appear 'weird'.
 
Martineau,

Thank you for the updated debug lines to put ill be able to try them after 630 EST.

What should I see in the output of them?
 
Martineau,

Debug Info added below from the commands requested along with the source of all 3 files I made with what is running at the moment.

P.S. I noticed in the wan-start there was no definition of IP nor IPSET_NAME so I created variables and added them in and rebooted.

For some reason now when I hardcoded the IP i lost ALL Internet on my device and wasn't able to ping any site.

I also noticed the IPSET was empty(I thought the wan start command would populate the IPSET automatically from dnsmasq as you said when I added the variables, but it didn't)



Thanks again for your time.

Code:
admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destina                                                                               tion
1    42192   15M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state RELATED,ESTABLISHED
2        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0                                                                               /0
3        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0                                                                               /0
4      171 14396 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state INVALID
5        0     0 ACCEPT     udp  --  br0    *       192.168.2.26         0.0.0.0                                                                               /0            udp dpt:53
6     2694  353K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0
7     2694  353K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0                                                                               /0
8        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            ctstate DNAT
9        0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state NEW
10       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0

admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 59632 packets, 18M bytes)
num   pkts bytes target     prot opt in     out     source               destination

admin@RT-AC68U-1340:/tmp/home/root# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /etc/dnsmasq.conf
ipset=/www.cnn.com/Valid_VPN_IP
ipset=/www.snbforums.com/Valid_VPN_IP

admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /jffs/configs/dnsmasq.conf.add
ipset=/www.cnn.com/Valid_VPN_IP
ipset=/www.snbforums.com/Valid_VPN_IP

admin@RT-AC68U-1340:/tmp/home/root# ipset list Valid_VPN_IP
ipset v6.32: The set with the given name does not exist


firewall-start

#!/bin/sh

IPADDR=192.168.2.26

IPSET_NAME="Valid_VPN_IP"


iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_ANY" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_ANY" 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_ANY"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_ANY"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT


init-start

#!/bin/sh

modprobe -sv xt_comment.ko

IPSET_NAME="Valid_VPN_IP"

ipset create $IPSET_NAME hash:net comment 2>/dev/null


wan-start

#!/bin/sh

IP=192.168.2.26

IPSET_NAME="Valid_VPN_IP"

# These are optional, but if the doamins are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)
for IP in $(nslookup "snbforums.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment snbforums.com;done;
for IP in $(nslookup "cnn.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment cnn.com;done;
 
Last edited:
Martineau,

Debug Info added below from the commands requested along with the source of all 3 files I made with what is running at the moment.

P.S. I noticed in the wan-start there was no definition of IP nor IPSET_NAME so I created variables and added them in and rebooted.

For some reason now when I hardcoded the IP i lost ALL Internet on my device and wasn't able to ping any site.

I also noticed the IPSET was empty(I thought the wan start command would populate the IPSET automatically from dnsmasq as you said when I added the variables, but it didn't)



Thanks again for your time.

Code:
admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destina                                                                               tion
1    42192   15M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state RELATED,ESTABLISHED
2        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0                                                                               /0
3        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0                                                                               /0
4      171 14396 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state INVALID
5        0     0 ACCEPT     udp  --  br0    *       192.168.2.26         0.0.0.0                                                                               /0            udp dpt:53
6     2694  353K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0
7     2694  353K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0                                                                               /0
8        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            ctstate DNAT
9        0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                               /0            state NEW
10       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0

admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 59632 packets, 18M bytes)
num   pkts bytes target     prot opt in     out     source               destination

admin@RT-AC68U-1340:/tmp/home/root# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /etc/dnsmasq.conf
ipset=/www.cnn.com/Valid_VPN_IP
ipset=/www.snbforums.com/Valid_VPN_IP

admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /jffs/configs/dnsmasq.conf.add
ipset=/www.cnn.com/Valid_VPN_IP
ipset=/www.snbforums.com/Valid_VPN_IP

admin@RT-AC68U-1340:/tmp/home/root# ipset list Valid_VPN_IP
ipset v6.32: The set with the given name does not exist


firewall-start

#!/bin/sh

IPADDR=192.168.2.26

IPSET_NAME="Valid_VPN_IP"


iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_ANY" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_ANY" 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_ANY"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_ANY"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT


init-start

#!/bin/sh

modprobe -sv xt_comment.ko

IPSET_NAME="Valid_VPN_IP"

ipset create $IPSET_NAME hash:net comment 2>/dev/null


wan-start

#!/bin/sh

IP=192.168.2.26

IPSET_NAME="Valid_VPN_IP"

# These are optional, but if the doamins are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)
for IP in $(nslookup "snbforums.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment snbforums.com;done;
for IP in $(nslookup "cnn.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment cnn.com;done;
It appears that you are not creating IPSET Valid_VPN_IP (init-start) during the boot process, consequently you are missing the ACCEPT/BLOCK firewall rules, as they can't be created (firewall-start) if they refer to an invalid IPSET.

e.g. '-t filter FORWARD' chain to block 192.168.2.26 outbound through ANY interface should look something like this...
Code:
<snip>
9        1    80 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
10       0     0 ACCEPT     udp  --  br0    *       192.168.2.26         0.0.0.0/0            udp dpt:53
11       0     0 ACCEPT     all  --  br0    *       192.168.2.26         0.0.0.0/0            match-set Valid_VPN_IP dst /* ALLOWED_thru_ANY */
12       0     0 DROP       all  --  br0    *       192.168.2.26         0.0.0.0/0            ! match-set Valid_VPN_IP dst /* BLOCKED_thru_ANY */
I suspect that not ALL of the scripts you have created are marked as 'executable' :eek: (as instructed in the single global command at the bottom of post #10), or you can individually explicitly make each one executable:
Code:
chmod a+rx /jffs/scripts/init-start

chmod a+rx /jffs/scripts/wan-start

Thanks for the heads-up! I've updated wan-start code in post #10 which indeed omitted the name of the IPSET to store the retrieved domain IPs :oops::oops:
 
Last edited:
Martineau,

Thanks for your help, Im sorry i wasn't able to post sooner, was busy. Here the most recent debug commands and my current files with the VPN section removed as i wanted to control that.

I readded
IPSET_NAME="Valid_VPN_IP"
to firewall start as it wasn't there in post 10.
I will reboot again now and see if all is correct.


Updated Debug Commands below:
Code:
admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     8490 2866K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
4       20   920 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
5        0     0 ACCEPT     udp  --  br0    *       192.168.2.26         0.0.0.0/0            udp dpt:53
6      346  102K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
7      346  102K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
8        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
9        0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
10       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 16569 packets, 3798K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /etc/dnsmasq.conf
ipset=/www.snbforums.com/Valid_VPN_IP
ipset=/www.whatismyipaddress.com/Valid_VPN_IP
ipset=/www.speedtest.net/Valid_VPN_IP
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /jffs/configs/dnsmasq.conf.add
ipset=/www.snbforums.com/Valid_VPN_IP
ipset=/www.whatismyipaddress.com/Valid_VPN_IP
ipset=/www.speedtest.net/Valid_VPN_IP
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# ipset list Valid_VPN_IP
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 554
References: 0
Number of entries: 3
Members:
104.27.126.97
104.27.127.97
8.8.8.8 comment "snbforums.com"
admin@RT-AC68U-1340:/tmp/home/root#

wan-start file
Code:
#!/bin/sh

# These are optional, but if the doamins are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)

IPSET_NAME="Valid_VPN_IP"

logger -st "($(basename $0))" $$  "Adding domains to IPSET $IPSET_NAME"
for IP in $(nslookup "snbforums.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment snbforums.com;done;
for IP in $(nslookup "speedtest.net" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment speedtest.net;done;
for IP in $(nslookup "whatismyipaddress.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment whatismyipaddress.com;done;

firewall-start file
Code:
#!/bin/sh
IPADDR=192.168.2.26
IPSET_NAME="Valid_VPN_IP"
# Prevent duplicates but can leave firewall exposed...
iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT
# Non-destructive (but no less exposed?) method to prevent duplicates
#[ iptables -C FORWARD -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN"
#[ iptables -C FORWARD -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
#[ iptables -C FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT

init-start file
Code:
#!/bin/sh

modprobe -sv xt_comment.ko

IPSET_NAME="Valid_VPN_IP"

logger -st "($(basename $0))" $$ "Creating IPSET $IPSET_NAME"
ipset create $IPSET_NAME hash:net comment 2>/dev/null

I cleared out the dnsmasq.conf.add file , I rebooted the router to trigger all 3 files below to run, and then noticed the dnsmasq.conf.add was empty so i ran the following 3 lines one by one:
Code:
echo "ipset=/www.snbforums.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
echo "ipset=/www.whatismyipaddress.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
echo "ipset=/www.speedtest.net/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

It appears that you are not creating IPSET Valid_VPN_IP (init-start) during the boot process, consequently you are missing the ACCEPT/BLOCK firewall rules, as they can't be created (firewall-start) if they refer to an invalid IPSET.

e.g. '-t filter FORWARD' chain to block 192.168.2.26 outbound through ANY interface should look something like this...
Code:
<snip>
9        1    80 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
10       0     0 ACCEPT     udp  --  br0    *       192.168.2.26         0.0.0.0/0            udp dpt:53
11       0     0 ACCEPT     all  --  br0    *       192.168.2.26         0.0.0.0/0            match-set Valid_VPN_IP dst /* ALLOWED_thru_ANY */
12       0     0 DROP       all  --  br0    *       192.168.2.26         0.0.0.0/0            ! match-set Valid_VPN_IP dst /* BLOCKED_thru_ANY */
I suspect that not ALL of the scripts you have created are marked as 'executable' :eek: (as instructed in the single global command at the bottom of post #10), or you can individually explicitly make each one executable:
Code:
chmod a+rx /jffs/scripts/init-start

chmod a+rx /jffs/scripts/wan-start

Thanks for the heads-up! I've updated wan-start code in post #10 which indeed omitted the name of the IPSET to store the retrieved domain IPs :oops::oops:
 
Last edited:
Martineau,
Something is still off with firewall start as the other 3 lines in ip filter nvl forward don't show. Please look above at the current file. Case sensitivtiy matters for the ipname correct? I believe it's spelled the same in all 3 places.

Martineau,

Thanks for your help, Im sorry i wasn't able to post sooner, was busy. Here the most recent debug commands and my current files with the VPN section removed as i wanted to control that.

I readded
IPSET_NAME="Valid_VPN_IP"
to firewall start as it wasn't there in post 10.
I will reboot again now and see if all is correct.


Updated Debug Commands below:
Code:
admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     8490 2866K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
4       20   920 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
5        0     0 ACCEPT     udp  --  br0    *       192.168.2.26         0.0.0.0/0            udp dpt:53
6      346  102K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
7      346  102K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
8        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
9        0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
10       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# iptables  --line  -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 16569 packets, 3798K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /etc/dnsmasq.conf
ipset=/www.snbforums.com/Valid_VPN_IP
ipset=/www.whatismyipaddress.com/Valid_VPN_IP
ipset=/www.speedtest.net/Valid_VPN_IP
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# grep Valid_VPN_IP /jffs/configs/dnsmasq.conf.add
ipset=/www.snbforums.com/Valid_VPN_IP
ipset=/www.whatismyipaddress.com/Valid_VPN_IP
ipset=/www.speedtest.net/Valid_VPN_IP
admin@RT-AC68U-1340:/tmp/home/root#
admin@RT-AC68U-1340:/tmp/home/root# ipset list Valid_VPN_IP
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 554
References: 0
Number of entries: 3
Members:
104.27.126.97
104.27.127.97
8.8.8.8 comment "snbforums.com"
admin@RT-AC68U-1340:/tmp/home/root#

wan-start file
Code:
#!/bin/sh

# These are optional, but if the doamins are defined in 'dnsmasq.conf.add' then dnsmasq will automatically populate the ipset, but will not include the comment description to help identify the IPs. (May be useful if you later want to remove a domain's IPs.)

IPSET_NAME="Valid_VPN_IP"

logger -st "($(basename $0))" $$  "Adding domains to IPSET $IPSET_NAME"
for IP in $(nslookup "snbforums.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment snbforums.com;done;
for IP in $(nslookup "speedtest.net" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment speedtest.net;done;
for IP in $(nslookup "whatismyipaddress.com" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add $IPSET_NAME $IP comment whatismyipaddress.com;done;

firewall-start file
Code:
#!/bin/sh
IPADDR=192.168.2.26
IPSET_NAME="Valid_VPN_IP"
# Prevent duplicates but can leave firewall exposed...
iptables -D FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null
iptables -D FORWARD -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT
# Non-destructive (but no less exposed?) method to prevent duplicates
#[ iptables -C FORWARD -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP -m comment --comment "BLOCKED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set ! --match-set $IPSET_NAME dst -j DROP   -m comment --comment "BLOCKED_thru_VPN"
#[ iptables -C FORWARD -s $IPADDR -i br0 -o tun1+ -m set --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN" 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -o tun1+ -m set   --match-set $IPSET_NAME dst -j ACCEPT -m comment --comment "ALLOWED_thru_VPN"
#[ iptables -C FORWARD -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null ] || iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -s $IPADDR -i br0 -p udp -m udp --dport 53 -j ACCEPT

init-start file
Code:
#!/bin/sh

modprobe -sv xt_comment.ko

IPSET_NAME="Valid_VPN_IP"

logger -st "($(basename $0))" $$ "Creating IPSET $IPSET_NAME"
ipset create $IPSET_NAME hash:net comment 2>/dev/null

I cleared out the dnsmasq.conf.add file , I rebooted the router to trigger all 3 files below to run, and then noticed the dnsmasq.conf.add was empty so i ran the following 3 lines one by one:
Code:
echo "ipset=/www.snbforums.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
echo "ipset=/www.whatismyipaddress.com/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
echo "ipset=/www.speedtest.net/Valid_VPN_IP" >>/jffs/configs/dnsmasq.conf.add
service restart_dnsmasq
 
Case sensitivity matters....?
Always - no exceptions.
Code:
ipset list Valid_VPN_IP

Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 554
References: 0
Number of entries: 3
Members:
104.27.126.97
104.27.127.97
8.8.8.8 comment "snbforums.com"
How did you manage to get '8.8.8.8 comment "snbforums.com"' into IPSET Valid_VPN_IP?:eek:

I have to specify this logically incorrect command o_O
Code:
for IP in $(nslookup "8.8.8.8" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v "127.0.0.1");do ipset add Valid_VPN_IP $IP comment snbforums.com;done;
Something is still off with firewall start as the other 3 lines in ip filter nvl forward don't show.
I suggest you Reboot, then enter the following commands
Code:
cd /jffs/scripts

ls -lah *-start

ipset list Valid_VPN_IP

sh -x ./init-start

sh -x ./firewall-start

sh -x ./wan-start
and post the output.
 
How did you manage to get '8.8.8.8 comment "snbforums.com"' into IPSET Valid_VPN_IP?:eek:
I bet his WAN DNS is 8.8.8.8 and grabbing it from nslookup Server: line.
Code:
# nslookup snbforums.com
Server:    9.9.9.9
Address 1: 9.9.9.9 dns9.quad9.net

Name:      snbforums.com
Address 1: 2606:4700:20::681b:7e61
Address 2: 104.27.126.97
Address 3: 104.27.127.97

# nslookup snbforums.com | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'
9.9.9.9
9.9.9.9
104.27.126.97
104.27.127.97
 
I bet his WAN DNS is 8.8.8.8 and grabbing it from nslookup Server: line.
Code:
# nslookup snbforums.com
Server:    9.9.9.9
Address 1: 9.9.9.9 dns9.quad9.net

Name:      snbforums.com
Address 1: 2606:4700:20::681b:7e61
Address 2: 104.27.126.97
Address 3: 104.27.127.97

# nslookup snbforums.com | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'
9.9.9.9
9.9.9.9
104.27.126.97
104.27.127.97
Doh! :oops: - clearly your post #19 didn't pick it up! ;)
 
Code:
nslookup www.snbforums.com | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | grep -v $(grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' /etc/resolv.conf | head -1)
 
Martineau,

Newest Code Posted
Code:
ASUSWRT-Merlin RT-AC68U 384.13-0 Wed Jul 31 17:27:27 UTC 2019
admin@RT-AC68U-1340:/tmp/home/root# cd /jffs/scripts
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# ls -lah *-start
-rwxr-xr-x    1 admin    root        2.1K Nov 22 11:59 firewall-start
-rwxr-xr-x    1 admin    root         181 Nov 22 11:03 init-start
-rwxr-xr-x    1 admin    root         859 Nov 22 11:03 wan-start
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# ipset list Valid_VPN_IP
Name: Valid_VPN_IP
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 410
References: 2
Number of entries: 1
Members:
8.8.8.8 comment "snbforums.com"
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# sh -x ./init-start
+ modprobe -sv xt_comment.ko
+ IPSET_NAME=Valid_VPN_IP
+ basename ./init-start
+ logger -st (init-start) 1817 Creating IPSET Valid_VPN_IP
(init-start): 1817 Creating IPSET Valid_VPN_IP
+ ipset create Valid_VPN_IP hash:net comment
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# sh -x ./firewall-start
+ IPADDR=192.168.2.26
+ IPSET_NAME=Valid_VPN_IP
+ iptables -D FORWARD -s 192.168.2.26 -i br0 -p udp -m udp --dport 53 -j ACCEPT
+ iptables -D FORWARD -s 192.168.2.26 -i br0 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT -m comment --comment ALLOWED_thru_VPN
+ iptables -D FORWARD -s 192.168.2.26 -i br0 -o tun1+ -m set ! --match-set Valid_VPN_IP dst -j DROP -m comment --comment BLOCKED_thru_VPN
+ iptables -nvL FORWARD --line -t filter
+ grep state INVALID
+ cut -d  -f1
+ iptables -I FORWARD 5 -s 192.168.2.26 -i br0 -o tun1+ -m set ! --match-set Valid_VPN_IP dst -j DROP -m comment --comment BLOCKED_thru_VPN
+ iptables -nvL FORWARD --line -t filter
+ grep state INVALID
+ cut -d  -f1
+ iptables -I FORWARD 5 -s 192.168.2.26 -i br0 -o tun1+ -m set --match-set Valid_VPN_IP dst -j ACCEPT -m comment --comment ALLOWED_thru_VPN
+ iptables -nvL FORWARD --line -t filter
+ grep state INVALID
+ cut -d  -f1
+ iptables -I FORWARD 5 -s 192.168.2.26 -i br0 -p udp -m udp --dport 53 -j ACCEPT
admin@RT-AC68U-1340:/jffs/scripts#
admin@RT-AC68U-1340:/jffs/scripts# sh -x ./wan-start
+ IPSET_NAME=Valid_VPN_IP
+ basename ./wan-start
+ logger -st (wan-start) 1842 Adding domains to IPSET Valid_VPN_IP
(wan-start): 1842 Adding domains to IPSET Valid_VPN_IP
+ nslookup snbforums.com
+ grep -oE ([0-9]{1,3}\.){3}[0-9]{1,3}
+ grep -v 127.0.0.1
+ ipset add Valid_VPN_IP 8.8.8.8 comment snbforums.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 8.8.8.8 comment snbforums.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 104.27.127.97 comment snbforums.com
+ ipset add Valid_VPN_IP 104.27.126.97 comment snbforums.com
+ nslookup speedtest.net
+ grep -oE ([0-9]{1,3}\.){3}[0-9]{1,3}
+ grep -v 127.0.0.1
+ ipset add Valid_VPN_IP 8.8.8.8 comment speedtest.net
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 8.8.8.8 comment speedtest.net
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 151.101.130.219 comment speedtest.net
+ ipset add Valid_VPN_IP 151.101.2.219 comment speedtest.net
+ ipset add Valid_VPN_IP 151.101.194.219 comment speedtest.net
+ ipset add Valid_VPN_IP 151.101.66.219 comment speedtest.net
+ nslookup whatismyipaddress.com
+ grep -oE ([0-9]{1,3}\.){3}[0-9]{1,3}
+ grep -v 127.0.0.1
+ ipset add Valid_VPN_IP 8.8.8.8 comment whatismyipaddress.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 8.8.8.8 comment whatismyipaddress.com
ipset v6.32: Element cannot be added to the set: it's already added
+ ipset add Valid_VPN_IP 104.16.154.36 comment whatismyipaddress.com
+ ipset add Valid_VPN_IP 104.16.155.36 comment whatismyipaddress.com
admin@RT-AC68U-1340:/jffs/scripts#
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top