Menu
What's new
By:
Filters Better Search

firewall-start: Something Else Is Inserting a Firewall Rule?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

K

Kevin K

Regular Contributor
I inserted a firewall rule via /jffs/script/firewall-start to drop traffic from 10.8.0.0. However, something else inserted an accept-everything rule afterward, so my traffic doesn't get dropped. I'm guessing that something related to OpenVPN did it.

When I insert my drop rule manually, after the router is fully started, it is the first rule in the chain.

How can I ensure that *my* firewall-start rules get applied after other sources?

My firewall-start:
Code: 
#!/bin/sh
iptables --insert FORWARD -s 10.8.0.0/16 -d 192.168.8.0/24 -j DROP

My FORWARD chain:
Code: 
Chain FORWARD (policy DROP)
target     prot opt source               destination       
ACCEPT     all  --  anywhere             anywhere         
DROP       all  --  10.8.0.0/16          192.168.8.0/24   
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere         
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere         
NSFW       all  --  anywhere             anywhere         
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
ACCEPT     all  --  anywhere             anywhere

I could put a "sleep 60" in my firewall-start, but that is icky.

UPDATE: It *is* the VPN which is adding the accept-all. I can't just put my VPN-related firewall rules in firewall-start. And I can't just put them in the VPN event script, because if I start/stop the VPN a few times, I'll wind up with duplicate rules. I need to prevent the OpenVPN component from updating the firewall scripts.

Maybe the sensible thing to do is to put "service restart_firewall" at the end of my VPN postconf?
 
Last edited:
Kevin K said:
I could put a "sleep 60" in my firewall-start, but that is icky.
Click to expand...

That's about the only solution, the firewall-start event is pretty weird, it gets called up to x3 times per boot and you can easily run into race conditions as the rules are flushed during this process if you run a lockfile system like I do. In Skynet I handle this by sleeping for 20s before modifying the FILTER table.
 
You must log in or register to reply here.

Similar threads

F
Understanding IPTABLES - asus ROG ax6000
Replies
17
Views
903
ColinTaylor
C
v.y.k
iptables pkts & bytes numbers are too low on Merlin 3004.388
Replies
13
Views
1K
v.y.k
v.y.k
M
Advance firewall rules
Replies
5
Views
792
ZebMcKayhan
Z
C
Port / device isolation AX88U
Replies
2
Views
567
cputoaster
C
N
Skynet SkyNet/Firewall blocking all ping requests, including outbound
Replies
6
Views
952
nearlyheadlessarvie
N
Similar threads
Thread starter Title Forum Replies Date
adri Firewall, Port Forwarding, and DoS Question Asuswrt-Merlin 6
Z Dual WAN + Dual Firewall Asuswrt-Merlin 11
K Asus router as adblock/firewall server (but not acting as a router) between modem and mesh routers Asuswrt-Merlin 7
M wan dhcpv6 blocked by firewall Asuswrt-Merlin 2
L is enabling firewall necessary (same for upnp) when on a provider with cgnat? Asuswrt-Merlin 5
M Advance firewall rules Asuswrt-Merlin 5
fffddd URL filtering in the firewall does not take effect Asuswrt-Merlin 7
G Feature request: firewall url filter log Asuswrt-Merlin 0
B Firewall lan - vpn? Asuswrt-Merlin 0
John Tetreault How to open ipv6 firewall to a port on the router? Asuswrt-Merlin 7

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 978 (members: 40, guests: 938)
Top