ColinTaylor
Part of the Furniture
Enter this command and try again:iptables: No chain/target/match by that name.
modprobe xt_comment
Alternatively, remove this section from each of the commands:
-m comment --comment "DNS Type 65"
Enter this command and try again:iptables: No chain/target/match by that name.
modprobe xt_comment
-m comment --comment "DNS Type 65"
Thank you, got that entered but still not blocking iOS devices. I followed dnsmasq log and I can see it is blocking to 0.0.0.0Enter this command and try again:modprobe xt_comment
Alternatively, remove this section from each of the commands:-m comment --comment "DNS Type 65"
Weird, I am able to do it. I guess it depends on how old your router's @kernol is. Glad someone told you which kernel module to enable.iptables: No chain/target/match by that name.
Change them toThank you, got that entered but still not blocking iOS devices. I followed dnsmasq log and I can see it is blocking to 0.0.0.0
iptables -I INPUT -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I OUTPUT -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
Entered. Still the same. In my LAN setting, I didn't put lan domain name. Also Skynet blocked inbound logs are from kernel, not dnsmasqChange them to
Code:iptables -I INPUT -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT iptables -I FORWARD -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT iptables -I OUTPUT -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
Also keep in mind this does not cover tcp responses.
Yes but port 53 is from dnsmasq. So if it is not blocking those queries, then your iPhone is getting its DNS from a completely different source then the router. What dns servers show up when you run the test atEntered. Still the same. In my LAN setting, I didn't put lan domain name. Also Skynet blocked inbound logs are from kernel, not dnsmasq
Can try this without the comment.iptables: No chain/target/match by that name.
iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m string --hex-string "|0000410001|" --algo bm -j REJECT
I use 9.9.9.9 TLS normally. I switched to NextDNS just to see the logs. lightswitch is on NextDNS too, when I enabled them in NextDNS privacy, it does block the test page from iOS. I have my ipv6 disabled, will that affect any DNS queries?Yes but port 53 is from dnsmasq. So if it is not blocking those queries, then your iPhone is getting its DNS from a completely different source then the router. What dns servers show up when you run the test at
DNS leak test
dnsleaktest.com
Also, are you using a VPN on your router or iphone?
No, unless you somehow have traffic traveling over ipv6 on your iOS.I use 9.9.9.9 TLS normally. I switched to NextDNS just to see the logs. lightswitch is on NextDNS too, when I enabled them in NextDNS privacy, it does block the test page from iOS. I have my ipv6 disabled, will that affect any DNS queries?
I wonder if nextdns is diverting your request still despite you having disabled the blocking. I recommend uninstalling it instead of disabling it to see if your request start getting blocked.I use 9.9.9.9 TLS normally. I switched to NextDNS just to see the logs. lightswitch is on NextDNS too, when I enabled them in NextDNS privacy, it does block the test page from iOS. I have my ipv6 disabled, will that affect any DNS queries?
This seems to work! But at the same time I did a network reset on my iPhone. Will try other iOS device. Thank you!Can try this without the comment.
Code:iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m string --hex-string "|0000410001|" --algo bm -j REJECT iptables -I FORWARD -p udp --dport 53 -m string --hex-string "|0000410001|" --algo bm -j REJECT
This work only when I have SSH enabled. When I disabled SSH, the block test page showing up again. Do I have leave SSH on?This seems to work! But at the same time I did a network reset on my iPhone. Will try other iOS device. Thank you!
Did you reboot your router? Currently the rules are gone after a reboot. Can you run this and see if the rules still existsSame again. Saw this in DivStats
2022-06-10 15:55 block-test.developerdan.com 192.168.102.212 type=65 Allowed 2022-06-10 15:55 block-test.developerdan.com 192.168.102.212 A Blocked (blocking list)
iptables -nvL INPUT | grep 0000410001
? If not then please try to apply again. Once you verify the rules exists, there should be no more type=65 entry in DivStats.By right the rules stay unless you manually delete it or reboot your router. In order to keep the rules after reboot can add it in /jffs/scripts/firewall-start. This is how I do it.This work only when I have SSH enabled. When I disabled SSH, the block test page showing up again. Do I have leave SSH on?
Thank you. Did not reboot. Only closing SSH client and disabled LAN SSH in System administration. When I enabled SSH again, and run the command, the rules were not there. Re-entered, but once SSH disabled, the rules seems to be gone.By right the rules stay unless you manually delete it or reboot your router. In order to keep the rules after reboot can add it in /jffs/scripts/firewall-start. This is how I do it.
Interesting. I’m not aware of this behavior. I have always leave LAN SSH on.Thank you. Did not reboot. Only closing SSH client and disabled LAN SSH in System administration. When I enabled SSH again, and run the command, the rules were not there. Re-entered, but once SSH disabled, the rules seems to be gone.
Safe to leave it on? Port forwarding enabled and not port 22Interesting. I’m not aware of this behavior. I have always leave LAN SSH on.
When you change the state of SSH it restarts the firewall which wipes out any changes you've made.Thank you. Did not reboot. Only closing SSH client and disabled LAN SSH in System administration. When I enabled SSH again, and run the command, the rules were not there. Re-entered, but once SSH disabled, the rules seems to be gone.
Thank you. Left it on. Thanks all for you helpWhen you change the state of SSH it restarts the firewall which wipes out any changes you've made.
Just leave SSH enabled for LAN only.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!