What's new

Diversion not filtering Wifi

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Enter this command and try again: modprobe xt_comment

Alternatively, remove this section from each of the commands: -m comment --comment "DNS Type 65"
Thank you, got that entered but still not blocking iOS devices. I followed dnsmasq log and I can see it is blocking to 0.0.0.0
 
Thank you, got that entered but still not blocking iOS devices. I followed dnsmasq log and I can see it is blocking to 0.0.0.0
Change them to
Code:
iptables -I INPUT -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT 
iptables -I FORWARD -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I OUTPUT -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT

Also keep in mind this does not cover tcp responses.
 
Last edited:
Change them to
Code:
iptables -I INPUT -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I OUTPUT -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT

Also keep in mind this does not cover tcp responses.
Entered. Still the same. In my LAN setting, I didn't put lan domain name. Also Skynet blocked inbound logs are from kernel, not dnsmasq
 
Entered. Still the same. In my LAN setting, I didn't put lan domain name. Also Skynet blocked inbound logs are from kernel, not dnsmasq
Yes but port 53 is from dnsmasq. So if it is not blocking those queries, then your iPhone is getting its DNS from a completely different source then the router. What dns servers show up when you run the test at


Also, are you using a VPN on your router or iphone?
 
iptables: No chain/target/match by that name. :(
Can try this without the comment.

Code:
iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m string --hex-string "|0000410001|" --algo bm -j REJECT
 
Yes but port 53 is from dnsmasq. So if it is not blocking those queries, then your iPhone is getting its DNS from a completely different source then the router. What dns servers show up when you run the test at


Also, are you using a VPN on your router or iphone?
I use 9.9.9.9 TLS normally. I switched to NextDNS just to see the logs. lightswitch is on NextDNS too, when I enabled them in NextDNS privacy, it does block the test page from iOS. I have my ipv6 disabled, will that affect any DNS queries?
 
I use 9.9.9.9 TLS normally. I switched to NextDNS just to see the logs. lightswitch is on NextDNS too, when I enabled them in NextDNS privacy, it does block the test page from iOS. I have my ipv6 disabled, will that affect any DNS queries?
No, unless you somehow have traffic traveling over ipv6 on your iOS.
 
I use 9.9.9.9 TLS normally. I switched to NextDNS just to see the logs. lightswitch is on NextDNS too, when I enabled them in NextDNS privacy, it does block the test page from iOS. I have my ipv6 disabled, will that affect any DNS queries?
I wonder if nextdns is diverting your request still despite you having disabled the blocking. I recommend uninstalling it instead of disabling it to see if your request start getting blocked.
 
Can try this without the comment.

Code:
iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m string --hex-string "|0000410001|" --algo bm -j REJECT
This seems to work! But at the same time I did a network reset on my iPhone. Will try other iOS device. Thank you!
 
Same again. Saw this in DivStats

2022-06-10 15:55block-test.developerdan.com192.168.102.212type=65Allowed
2022-06-10 15:55block-test.developerdan.com192.168.102.212ABlocked (blocking list)
 
This seems to work! But at the same time I did a network reset on my iPhone. Will try other iOS device. Thank you!
This work only when I have SSH enabled. When I disabled SSH, the block test page showing up again. Do I have leave SSH on?
 
Same again. Saw this in DivStats

2022-06-10 15:55block-test.developerdan.com192.168.102.212type=65Allowed
2022-06-10 15:55block-test.developerdan.com192.168.102.212ABlocked (blocking list)
Did you reboot your router? Currently the rules are gone after a reboot. Can you run this and see if the rules still exists iptables -nvL INPUT | grep 0000410001? If not then please try to apply again. Once you verify the rules exists, there should be no more type=65 entry in DivStats.
 
This work only when I have SSH enabled. When I disabled SSH, the block test page showing up again. Do I have leave SSH on?
By right the rules stay unless you manually delete it or reboot your router. In order to keep the rules after reboot can add it in /jffs/scripts/firewall-start. This is how I do it.
 
By right the rules stay unless you manually delete it or reboot your router. In order to keep the rules after reboot can add it in /jffs/scripts/firewall-start. This is how I do it.
Thank you. Did not reboot. Only closing SSH client and disabled LAN SSH in System administration. When I enabled SSH again, and run the command, the rules were not there. Re-entered, but once SSH disabled, the rules seems to be gone.
 
Thank you. Did not reboot. Only closing SSH client and disabled LAN SSH in System administration. When I enabled SSH again, and run the command, the rules were not there. Re-entered, but once SSH disabled, the rules seems to be gone.
Interesting. I’m not aware of this behavior. I have always leave LAN SSH on.
 
Interesting. I’m not aware of this behavior. I have always leave LAN SSH on.
Safe to leave it on? Port forwarding enabled and not port 22 :eek:
 
Thank you. Did not reboot. Only closing SSH client and disabled LAN SSH in System administration. When I enabled SSH again, and run the command, the rules were not there. Re-entered, but once SSH disabled, the rules seems to be gone.
When you change the state of SSH it restarts the firewall which wipes out any changes you've made.

Just leave SSH enabled for LAN only.
 
When you change the state of SSH it restarts the firewall which wipes out any changes you've made.

Just leave SSH enabled for LAN only.
Thank you. Left it on. Thanks all for you help
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top