Menu
What's new
By:
Filters Better Search

Firewall script is still not working

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

v1rt

v1rt

Occasional Visitor
My firewall script never worked really well. I configured it earlier this year. Today, I need help again because it's still not working well. I'm wondering why son's network connection doesn't get killed even when the router has firewall rules to block the traffic on certain time. Here is my firewall-start script

admin@RT-AC68U-6000:/jffs/scripts# cat firewall-start
#!/bin/sh
# Locate both "RELATED,ESTABLISHED" and "INVALID" rules to place the Inserts after

InsLoc=`iptables -nvL FORWARD --lin | grep -A 1 -i "RELATED,ESTABLISHED" | tail -n 1 | awk '{ print $1 }'`
if [ "x$InsLoc" == "x" ]
then
# echo "Rule RELATED,ESTABLISHED not found"
# Add rule to continue existing connections
iptables -I FORWARD 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
InsLoc=2
fi
#
InsLoc1=`iptables -nvL FORWARD --lin | grep -A 1 -i "INVALID" | tail -n 1 | awk '{ print $1 }'`
if [ "x$InsLoc1" == "x" ]
then
# echo "Rule INVALID not found"
# Add rule to Drop unexpected traffic
iptables -I FORWARD $InsLoc -m conntrack --ctstate INVALID -j DROP
InsLoc1=`expr $InsLoc + 1`
fi
#
if [ $InsLoc1 -gt $InsLoc ]
then
# use which ever comes last
InsLoc=$InsLoc1
fi
echo "InsLoc=$InsLoc"
#


# League of Legends Game Client
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 22:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p udp --dport 5000:5500 -m time --timestart 22:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 22:00 --timestop 08:00 --weekdays Fri,Sat --kerneltz -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p udp --dport 5000:5500 -m time --timestart 22:00 --timestop 08:00 --weekdays Fri,Sat --kerneltz -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 22:00 --timestop 08:00 --weekdays Sun --kerneltz -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p udp --dport 5000:5500 -m time --timestart 22:00 --timestop 08:00 --weekdays Sun --kerneltz -j DROP

# Patcher and Maestro
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8393:8400 -m time --timestart 22:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8393:8400 -m time --timestart 22:00 --timestop 08:00 --weekdays Fri,Sat --kerneltz -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8393:8400 -m time --timestart 22:00 --timestop 08:00 --weekdays Sun --kerneltz -j DROP

# 2099 TCP - PVP.Net
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 2099 -m time --timestart 22:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 2099 -m time --timestart 22:00 --timestop 08:00 --weekdays Fri,Sat --kerneltz -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 2099 -m time --timestart 22:00 --timestop 08:00 --weekdays Sun --kerneltz -j DROP

# 5223 TCP - PVP.Net
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5223 -m time --timestart 22:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5223 -m time --timestart 22:00 --timestop 08:00 --weekdays Fri,Sat --kerneltz -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5223 -m time --timestart 22:00 --timestop 08:00 --weekdays Sun --kerneltz -j DROP

# 5222 TCP - PVP.Net
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5222 -m time --timestart 22:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5222 -m time --timestart 02:30 --timestop 08:00 --weekdays Fri,Sat -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 5222 -m time --timestart 12:00 --timestop 08:00 --weekdays Sun --kerneltz -j DROP

# 8088 Spectator Mode
iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8088 -m time --timestart 22:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8088 -m time --timestart 22:00 --timestop 08:00 --weekdays Fri,Sat --kerneltz -j DROP
#iptables -I FORWARD $InsLoc -i br0 -o eth0 -p tcp --dport 8088 -m time --timestart 22:00 --timestop 08:00 --weekdays Sun --kerneltz -j DROP

iptables -I FORWARD $InsLoc -i br0 -o eth0 -m tcp -p tcp --dport 5222 -j ACCEPT

Please see attached screenshots of my configuration. If I missed a setting, please let me know. My son's computer is connected to a lan port.

Firmware is Firmware:378.51

I've also played with the timezone because I noticed something weird. I tried UTC hoping it would work but still didn't. Right now the time here in Chicago is 8:58am and the time on my router is Sat Dec 19 08:58:35 UTC 2015
 

Attachments

  • Screen Shot 2015-12-19 at 8.47.55 AM.png
    Screen Shot 2015-12-19 at 8.47.55 AM.png
    175.4 KB · Views: 539
  • Screen Shot 2015-12-19 at 8.47.55 AM.png
    Screen Shot 2015-12-19 at 8.47.55 AM.png
    175.4 KB · Views: 298
Or maybe, what is the rule for this. When time is 10pm, block everything except port 53ut, 80t and 443t?
 
v1rt said:
wondering why son's network connection doesn't get killed even when the router has firewall rules to block the traffic on certain time.
Click to expand...
Is the time that is specified by the iptables rules in UTC or local time?

And, how you drop packets for an established connection? TCP is "connection-oriented". UDP is "connectionless".

I think you may need additional rules to drop packets for those established TCP connections during those prohibited times.

Example:
/jffs/scripts/firewall-start
Code: 
# League of Legends Game Client
...
...
iptables -I FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -p tcp --dport 5000:5500 -m time --timestart 22:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
let InsLoc++

I'm no expert on this, just saying things to try.
 
Last edited:
ASAT said:
Is the time that is specified by the iptables rules in UTC or local time?

And, how you drop packets for an established connection? TCP is "connection-oriented". UDP is "connectionless".

I think you may need additional rules to drop packets for those established TCP connections during those prohibited times.

Example:
/jffs/scripts/firewall-start
Code: 
# League of Legends Game Client
...
...
iptables -I FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -p tcp --dport 5000:5500 -m time --timestart 22:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
let InsLoc++

I'm no expert on this, just saying things to try.
Click to expand...

Looking at the time, they are actually the same. There is an option where you can tell iptables which timezone to use. If you don't put it, it's going to be in UTC.

And glad you mentioned TCP being connection oriented. That's what I was thinking that I don't have rules for killing existing connections.

That rule was just given to me early this year.
 
v1rt said:
I don't have rules for killing existing connections.
Click to expand...
I don't think iptables is capable of killing a TCP connection on the router. A firewall lets you make rules to drop packets OR send back an error packet in response to a matched packet. However, to effectively "kill" a connection, you'd need to have control of the client computer who started the TCP socket.
 
I was wrong when I said kill which is similar to sending a tcp reset to the host(like how snort does).

Maybe, I'll just write a cronjob that will copy a firewall rule and overwrite my existing one on a specific time like at 10pm. After it's been copied, I will also restart iptables that flushes everything as well. That should do it.

It should work right?
 
You must log in or register to reply here.

Similar threads

P
How would you check or change the router's http or https webinterface port via telnet (only)?
Replies
2
Views
306
powersupply
P
R
One router, two segments desired.
Replies
4
Views
872
Rombo
R
PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
2
Views
1K
dacotmeister
D
Jack-Sparr0w
Paste Debug, Does this look alright?
Replies
0
Views
214
Jack-Sparr0w
Jack-Sparr0w
NoBenefit
Does my iptables looks normal?
Replies
1
Views
1K
ColinTaylor
C
Similar threads
Thread starter Title Forum Replies Date
Z Dual WAN + Dual Firewall Asuswrt-Merlin 11
K Asus router as adblock/firewall server (but not acting as a router) between modem and mesh routers Asuswrt-Merlin 7
M wan dhcpv6 blocked by firewall Asuswrt-Merlin 2
L is enabling firewall necessary (same for upnp) when on a provider with cgnat? Asuswrt-Merlin 5
M Advance firewall rules Asuswrt-Merlin 5
fffddd URL filtering in the firewall does not take effect Asuswrt-Merlin 7
G Feature request: firewall url filter log Asuswrt-Merlin 0
B Firewall lan - vpn? Asuswrt-Merlin 0
John Tetreault How to open ipv6 firewall to a port on the router? Asuswrt-Merlin 7
C Port Forwarding and Firewall - not working as I expect Asuswrt-Merlin 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 789 (members: 38, guests: 751)
Top