Disabling auto-clearing of iptables rules.

[kevinlekiller]

Hello, I've added a wan-start script to disable VPN on my VOIP ATA, my ATA is provided by my ISP and is locked down(the voice tab in the web GUI is password protected), it doesn't connect if it goes through the VPN connection.

Every hour or so the iptables rules are cleared by the router, so the ATA goes through the VPN and I lose telephone, I have to manually re-run my script to disable the VPN on the ATA again.

Is there any way to disable the router from clearing the iptables rules?

I'm running 376.45 on a Asus RT-AC68U, the ATA is a WRP-400 by Cisco if that is of any help.

Thanks.

 

[AndreyPopov]

you can use crond (crontabs) to start you scripts every minute ;(

 

[kevinlekiller]

you can use crond (crontabs) to start you scripts every minute ;(

Thanks Andrey, that might be a better solution than what I did, I ran this script from the services-start script:

#!/bin/sh
while :
do
check=`iptables -t mangle -L PREROUTING | grep '192.168.1.254'`
if [ "$check" == "" ]; then
sh ./set_iptables.sh
fi
sleep 10
done

Edit: In case anyone stumbles upon the thread in the future, my scripts follow:

/jffs/scripts/wan-start

(This runs a script which I'll post below, it disables the VPN on the VOIP ATA, it then creates a cron job that runs every 60 seconds to run a script which I'll post below as well to check if the iptables rules are still active.)

#!/bin/sh
../set_iptables.sh
cru a check_iptables_script "*/1 * * * * /jffs/check_iptables.sh"

/jffs/set_iptables.sh

(This clears all iptables rules and enables the VPN only on this range of IP's : 192.168.1.2 - 192.168.1.253, my ATA is 192.168.1.254 so the VPN is not active on it.)

#!/bin/sh
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev "tun11" \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.253 -j MARK --set-mark 0

/jffs/check_iptables.sh

(This checks if the iptables rules are still active, if not it re-enables them.)

#!/bin/sh
check=`iptables -t mangle -L PREROUTING | grep '192.168.1.253'`
if [ "$check" == "" ]; then
        ./set_iptables.sh
fi

Maybe there is a better solution, but this works for now and telephone is required for commercial reasons.