Help Please..Need assistance stopping outbound connections!

[joe scian]

There are inherent ASUS implemented firewall rules that refer to '-j logdrop'

iptables-save | grep -E "logdrop"

:logdrop - [0:0]
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -j logdrop

-A FORWARD -m state --state INVALID -j logdrop

-A NSFW -i br0 -o eth0 -j logdrop

-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop

-A logdrop -j DROP

-A other2wan -j logdrop

so presumably in the SECURITY chain (and if the USER enables Network Services Filter) etc. then ASUS deems it a requirement to write a tracking message to Syslog rather than silently DROP the packet.

When Skynet is installed, this expected logging functionality is no longer available - no idea why Skynet now wishes to interfere and unilaterally prevent firewall rule trigger messages being written to Syslog?
(NOTE: Even if you temporarily disable Skynet, it doesn't restore the logdrop chain.)

P.S. You can provide the 'fixskynet' directive when requesting IPCamsBlock.sh and both the script and the ASUS firewall rules will work as intended.

Thank you much appreciated

 

[joe scian]

jffs/scripts$ sh IPCamsBlock.sh init mail fixskynet logdrop
[97m
(IPCamsBlock.sh): 22981 v1.09 I/P Cameras Firewall blocking.... init mail fixskynet logdrop
(IPCamsBlock.sh): 22981 ***ERROR Intrinsic 'iptables -t filter logdrop' chain functionality has been purposely CRIPPLED by ACTIVE SKynet...WTF?!!!
(IPCamsBlock.sh): 22981 .....has now been repaired.
[91m [91m[92m Chain logdrop (9 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW /* FUBAR'd by SKynet */ LOG flags 7 level 4 prefix "DROP "
2 29373 1778K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[0m[91m
'/usr/sbin/iptables -I FORWARD 4 5 -i br0 -j MyIPCAMs'
Bad argument `5'
Try `iptables -h' or 'iptables --help' for more information.
[93m
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain MyIPCAMs (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- br0 ppp0 anywhere anywhere udp dpt:ntp
2 0 0 logdrop all -- br0 !tun2+ Traficon_N_V.AC5300-DOMAIN anywhere
(IPCamsBlock.sh): 22981 I/P Cameras Firewall blocking request completed.
[97m
[0m


Hi Martineau
I think the skynet issue is fixed thanks - there is a message above in bold - any ideas?

 

[Martineau]

jffs/scripts$ sh IPCamsBlock.sh init mail fixskynet logdrop
[97m
(IPCamsBlock.sh): 22981 v1.09 I/P Cameras Firewall blocking.... init mail fixskynet logdrop
(IPCamsBlock.sh): 22981 ***ERROR Intrinsic 'iptables -t filter logdrop' chain functionality has been purposely CRIPPLED by ACTIVE SKynet...WTF?!!!
(IPCamsBlock.sh): 22981 .....has now been repaired.
[91m [91m[92m Chain logdrop (9 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW /* FUBAR'd by SKynet */ LOG flags 7 level 4 prefix "DROP "
2 29373 1778K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[0m[91m
'/usr/sbin/iptables -I FORWARD 4 5 -i br0 -j MyIPCAMs'
Bad argument `5'
Try `iptables -h' or 'iptables --help' for more information.
[93m
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain MyIPCAMs (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- br0 ppp0 anywhere anywhere udp dpt:ntp
2 0 0 logdrop all -- br0 !tun2+ Traficon_N_V.AC5300-DOMAIN anywhere
(IPCamsBlock.sh): 22981 I/P Cameras Firewall blocking request completed.
[97m
[0m


Hi Martineau
I think the skynet issue is fixed thanks - there is a message above in bold - any ideas?

The script has found/encountered two conflicting rules 4 and 5 in the FORWARD chain.

You will need to list the top 6 rules in the chain, to identify why they are causing the error.

Also you should run the script with 'status' to see if it has built its chain correctly.

EDIT: Please use the

tags...it makes it so much easier to read the output particularly column data such as iptables etc.

 

[joe scian]

/jffs/scripts$ iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1193
ACCEPT udp -- anywhere anywhere udp dpt:https
logdrop icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere state INVALID
PTCSRVWAN all -- anywhere anywhere
PTCSRVLAN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
OVPN all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
INPUT_ICMP icmp -- anywhere anywhere
logdrop all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
MyAlexa all -- anywhere anywhere match-set Alexa src,dst
other2wan all -- anywhere anywhere
other2wan all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
SECURITY all -- anywhere anywhere
NSFW all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT
OVPN all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain ACCESS_RESTRICTION (0 references)
target prot opt source destination

Chain FUPNP (0 references)
target prot opt source destination

Chain INPUT_ICMP (1 references)
target prot opt source destination
RETURN icmp -- anywhere anywhere icmp echo-request
RETURN icmp -- anywhere anywhere icmp timestamp-request
ACCEPT icmp -- anywhere anywhere

Chain MyAlexa (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:ntp
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options
ACCEPT all -- anywhere anywhere

ip-options prefix "[BADAlexa]"

Chain MyIPCAMs (0 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:ntp
logdrop all -- Traficon_N_V.AC5300-DOMAIN anywhere

Chain NSFW (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:1701
DROP gre -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:1723

Chain OVPN (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PControls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PTCSRVLAN (1 references)
target prot opt source destination

Chain PTCSRVWAN (1 references)
target prot opt source destination

Chain SECURITY (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
logdrop icmp -- anywhere anywhere icmp echo-request
RETURN all -- anywhere anywhere

Chain default_block (0 references)
target prot opt source destination

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT all -- anywhere anywhere

Chain logdrop (9 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW /* FUBAR'd by SKynet */ LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP all -- anywhere anywhere

Chain other2wan (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
logdrop all -- anywhere anywhere


Sorry Martineau not sure how to runs tags

(IPCamsBlock.sh): 3401 v1.09 I/P Cameras Firewall blocking.... status
[91m[93m
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain MyIPCAMs (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:123
2 0 0 logdrop all -- br0 !tun2+ 192.168.2.73 0.0.0.0/0
[97m
(IPCamsBlock.sh): 3401 I/P Cameras Firewall blocking status request completed.
[0m

 

[Martineau]

/jffs/scripts$ iptables --list

Chain FORWARD (policy DROP)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
MyAlexa    all  --  anywhere             anywhere             match-set Alexa src,dst
other2wan  all  --  anywhere             anywhere
other2wan  all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
NSFW       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere

So the IPCamsBlock.sh error is because you inexplicably appear to have duplicate firewall rules...…

Note the syntax to display only a single chain i.e. the 'FORWARD' chain in table 'filter'

iptables  --line -t filter -nvL FORWARD

Chain FORWARD (policy DROP 0 packets, 0 bytes)

TCPMSS     tcp  --  anywhere             anywhere             tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
MyAlexa    all  --  anywhere             anywhere             match-set Alexa src,dst

other2wan  all  --  anywhere             anywhere     <<<<<< Why is this duplicated ?????
other2wan  all  --  anywhere             anywhere     <<<<<< Why is this duplicated ?????
 
logdrop    all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
NSFW       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere

I'm pretty sure this ASUS rule isn't duplicated on other routers...unless something has changed?

Sorry Martineau not sure how to runs tags

​

 

[joe scian]

Thanks Martineau
yes I did notice duplication as well though I didnt connect that the reason behind that error was the duplication. I have no idea why there is duplication so for now Ill just ignore the error as the chain for IPCamsBlock.sh has been created correctly.

 

[Martineau]

Thanks Martineau
yes I did notice duplication as well though I didnt connect that the reason behind that error was the duplication.

I have no idea why there is duplication so for now Ill just ignore the error as the chain for IPCamsBlock.sh has been created correctly.

Unfortunately there doesn't appear to be the required '-j MyIPCAMs' rule in the FORWARD chain

So you need to fix this immediately.

Issue

iptables  --line -t filter -nvL FORWARD

then carefully delete only one of the duplicates
i.e. where 'X' is the line number of one of the duplicates identified from the 'num' column.

iptables    -D   FORWARD    X

then rerun 'IPCamsblock.sh' in 'init' mode, and (preferably enclosed in CODE tags ) post the results from

iptables  --line -t filter -nvL FORWARD

EDIT: Is Dual-WAN enabled?, as another forum topic post shows two 'other2wan' rules - 'eth0' and 'ppp0'

I will upload v1.12 with a fix.

 

[joe scian]

Hi Martineau
The other2wan certainly shows eth0 and ppp0 therefore we dont have duplicates and no I am NOT using Dual-Wan.

Joe

joescian@RT-AC5300-0680:/tmp/home/root# iptables --line -t filter -nvL FORWARD

joescian@RT-AC5300-0680:/tmp/home/root# iptables  --line -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destina                                                                                                 tion
1      237 12548 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0                                                                                                 /0            tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
2     2667  798K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0                                                                                                 /0            state RELATED,ESTABLISHED
3        0     0 MyAlexa    all  --  *      *       0.0.0.0/0            0.0.0.0                                                                                                 /0            match-set Alexa src,dst
4        0     0 other2wan  all  --  !br0   ppp0    0.0.0.0/0            0.0.0.0                                                                                                 /0
5        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0                                                                                                 /0
6       36  1548 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0                                                                                                 /0            state INVALID
7        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0                                                                                                 /0
8        0     0 SECURITY   all  --  ppp0   *       0.0.0.0/0            0.0.0.0                                                                                                 /0
9      406  139K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                                                 /0
10       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0                                                                                                 /0            ctstate DNAT
11     406  139K OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0                                                                                                 /0            state NEW
12     406  139K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0

 

[joe scian]

Looks like its fixed with V1.12 - thank you so much Martineau

joescian@RT-AC5300-0680:/jffs/scripts# iptables  --line -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     2516  129K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
2    27441 9141K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3        0     0 MyAlexa    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Alexa src,dst
4      133 44121 MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0
5        0     0 other2wan  all  --  !br0   ppp0    0.0.0.0/0            0.0.0.0/0
6        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
7      148  6712 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
8        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
9        0     0 SECURITY   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
10    2989  943K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
11       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
12    2989  943K OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
13    2989  943K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

 

[Martineau]

Looks like its fixed with V1.12 - thank you so much Martineau

joescian@RT-AC5300-0680:/jffs/scripts# iptables  --line -t filter -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     2516  129K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
2    27441 9141K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3        0     0 MyAlexa    all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set Alexa src,dst
4      133 44121 MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0
5        0     0 other2wan  all  --  !br0   ppp0    0.0.0.0/0            0.0.0.0/0
6        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
7      148  6712 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
8        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
9        0     0 SECURITY   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
10    2989  943K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
11       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
12    2989  943K OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
13    2989  943K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

Thanks for the feedback.

So you presumably have a 'ppp0' WAN connection, and the 'eth0' rule is possibly a mistake.

Regardless, I have now updated all of my scripts to be tolerant of possible duplicate rules, although it will be interesting to see if both rules actually register any hits.

 

[joe scian]

Thanks for the feedback.

So you presumably have a 'ppp0' WAN connection, and the 'eth0' rule is possibly a mistake.

Regardless, I have now updated all of my scripts to be tolerant of possible duplicate rules, although it will be interesting to see if both rules actually register any hits.

yes its a PPPoE connection.

 

[joe scian]

Hi Martineau
I updated my /jffs/configs/Iot_Alexa.apps with

# Alexa Dns
-A MyAlexa -i br0  -p udp -m udp --dport 53 -j ACCEPT -m comment --comment ALEXA DNS

I then ran sh iotblock.sh alexa init track onerule

however when i run sh iotblock.sh alexa report I dont get the rule entry in the MyAlexa chain.
Also getting wierd hard coded private ip address 192.168.1.9 and 192.168.1.3 - my LAN subnet is 192.168.2.x. I think you got some wierd hard coded address as well in your example above.

....but weird that there appears to be hard-coded 192.168.0.* requests despite my LAN/VLANs being 10.88.*.*

(iotblock.sh): 2608 v1.02b1 IoT Firewall blocking.... alexa report

[95m
[91m[96mName: Alexa
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 293
References: 1
Number of entries: 3
Members:
192.168.2.133 comment "192.168.2.133"
192.168.2.245 comment "192.168.2.245"
192.168.2.47 comment "192.168.2.47"
Name: AlexaTRK
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 60
References: 0
Number of entries: 0
[93m
    IoT rules:
[96m
[93m
Unknown TCP/UDP Ports
    Total=0


Chain MyAlexa (1 references)
num   pkts bytes target     prot opt in     out     source               destination  
1        0     0 ACCEPT     udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
2        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 7 level 4 prefix "[BADAlexa]"
3        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0    
      1 192.168.2.47 99.84.138.57 TCP SPT=40296 DPT=80
      1 192.168.2.47 99.84.138.57 TCP SPT=40275 DPT=80
      1 192.168.2.47 99.84.138.57 TCP SPT=40274 DPT=80
      1 192.168.2.47 99.84.138.57 TCP SPT=40227 DPT=80
      1 192.168.2.47 99.84.138.57 TCP SPT=40225 DPT=80
      1 192.168.2.47 99.84.138.143 TCP SPT=48689 DPT=80
      1 192.168.2.47 99.84.138.143 TCP SPT=48688 DPT=80
      1 192.168.2.47 99.84.138.118 TCP SPT=55704 DPT=80
      1 192.168.2.47 99.84.138.118 TCP SPT=55686 DPT=80
      1 192.168.2.47 99.84.138.118 TCP SPT=55664 DPT=80
      1 192.168.2.47 99.84.135.78 TCP SPT=57401 DPT=443
      1 192.168.2.47 72.21.214.79 TCP SPT=57633 DPT=80
      1 192.168.2.47 72.21.214.79 TCP SPT=50801 DPT=80
      1 192.168.2.47 72.21.214.79 TCP SPT=38176 DPT=80
      1 192.168.2.47 54.239.26.114 TCP SPT=33231 DPT=443
      2 192.168.2.47 54.231.32.91 TCP SPT=56300 DPT=80
      3 192.168.2.47 54.231.114.170 TCP SPT=59703 DPT=80
      1 192.168.2.47 52.94.241.86 TCP SPT=59212 DPT=80
      1 192.168.2.47 52.94.241.86 TCP SPT=51026 DPT=80
      1 192.168.2.47 52.94.241.86 TCP SPT=47300 DPT=80
      1 192.168.2.47 52.94.241.86 TCP SPT=46355 DPT=80
      1 192.168.2.47 52.94.241.86 TCP SPT=46043 DPT=80
      1 192.168.2.47 52.94.241.86 TCP SPT=44947 DPT=80
      1 192.168.2.47 52.94.241.86 TCP SPT=42766 DPT=80
      1 192.168.2.47 52.94.241.86 TCP SPT=42433 DPT=80
      1 192.168.2.47 52.94.241.86 TCP SPT=42211 DPT=80
      3 192.168.2.47 52.216.237.243 TCP SPT=37148 DPT=80
      3 192.168.2.47 52.216.228.184 TCP SPT=37245 DPT=80
      9 192.168.2.47 52.216.176.11 TCP SPT=39628 DPT=80
      3 192.168.2.47 52.216.165.115 TCP SPT=40739 DPT=80
      3 192.168.2.47 52.216.162.83 TCP SPT=52658 DPT=80
      3 192.168.2.47 52.216.162.67 TCP SPT=36525 DPT=80
      3 192.168.2.47 52.216.132.91 TCP SPT=33928 DPT=80
      1 192.168.2.47 52.216.109.187 TCP SPT=36873 DPT=80
      3 192.168.2.47 52.216.101.195 TCP SPT=43873 DPT=80
      3 192.168.2.47 52.216.100.227 TCP SPT=43889 DPT=80
      4 192.168.2.47 192.168.1.9 TCP SPT=57805 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57801 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57797 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57793 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57789 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57782 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57777 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57773 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57769 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57765 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57757 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57753 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57749 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57745 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57741 DPT=55443
      4 192.168.2.47 192.168.1.9 TCP SPT=57734 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56119 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56115 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56111 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56107 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56103 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56096 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56092 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56087 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56083 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56079 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56071 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56067 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56063 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56059 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56055 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56048 DPT=55443
      4 192.168.2.47 192.168.1.3 TCP SPT=56044 DPT=55443
      1 192.168.2.47 176.32.98.203 TCP SPT=45034 DPT=80
      1 192.168.2.47 176.32.98.203 TCP SPT=43012 DPT=80
      1 192.168.2.47 176.32.98.203 TCP SPT=41552 DPT=80
      1 192.168.2.47 176.32.98.203 TCP SPT=40333 DPT=80
      1 192.168.2.47 13.35.148.148 TCP SPT=52389 DPT=80
 
Name: AlexaTRK
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 60
References: 0
Number of entries: 0
Members:
[0m

 

[Martineau]

I updated my /jffs/configs/Iot_Alexa.apps with

# Alexa Dns
-A MyAlexa -i br0  -p udp -m udp --dport 53 -j ACCEPT -m comment --comment ALEXA DNS

I then ran sh iotblock.sh alexa init track onerule

however when i run sh iotblock.sh alexa report I dont get the rule entry in the MyAlexa chain.

If you run the request from the command prompt you should get a report line
e.g.

./IOTBlock.sh alexa init track onerule

      Apps firewall rules (18) read from '/jffs/configs/IoT_Alexa.apps' Success=18

If you didn't,

Check that the filename is as expected by the script!

If you still don't get a report, check that the line is terminated with LF

Hopefully you will now get a report similar to this:

 Bad argument `DNS' ==> -A MyAlexa -i br0 -p udp -m udp --dport 53 -j ACCEPT -m comment --comment ALEXA DNS
Bad argument `DNS'
Try `iptables -h' or 'iptables --help' for more information.

      Apps firewall rules (18) read from '/jffs/configs/IoT_Alexa.apps' Success=17 FAILED=1

as unfortunately the script cannot insert mult-word comment text, so separate the comment words with say '-'
e.g.

-A MyAlexa -i br0 -p udp -m udp --dport 53 -j ACCEPT -m comment --comment ALEXA-DNS

Also getting wierd hard coded private ip address 192.168.1.9 and 192.168.1.3 - my LAN subnet is 192.168.2.x. I think you got some wierd hard coded address as well in your example above.

Yes, most strange indeed, but at least you now know about them!

 

[joe scian]

Thank you very much problem fixed !

 

[networknewb]

Can we do this in the stock ASUS software? I am getting permission denial / write only when trying to modify or run the script file etc. Also, the configs folder does not seem to exist in the stock ASUS firmware?

 

[Martineau]

Can we do this in the stock ASUS software? I am getting permission denial / write only when trying to modify or run the script file etc. Also, the configs folder does not seem to exist in the stock ASUS firmware?

Short answer NO.

Custom scripts is the raison d'etre for flashing the RMerlin firmware although there is a thread discussing that it is technically possible to hack a custom script to run on stock:
Is there a clear guide how to run custom scripts on Stock Firmware?

 

[Sebastien Bougie]

Hello,

When i try to run the scripts i'm getting the following errors

: not found.sh: line 50:
: not found.sh: line 53:
: 3898 -init.sh)
: not found.sh: line 57: }
: not found.sh: line 60: }
: No such file or directory
: not found.sh: line 64: }
: not found.sh: line 66:
: not found.sh: line 71:
: not found.sh: line 72: }
: not found.sh: line 78:
IPCamsBlock.sh: local: line 79: not in a function
: not found.sh: line 80:
IPCamsBlock.sh: shift: line 83: Illegal number: 2

Can someone help me
Thanks

 

[Martineau]

Hello,

When i try to run the scripts i'm getting the following errors

: not found.sh: line 50:
: not found.sh: line 53:
: 3898 -init.sh)
: not found.sh: line 57: }
: not found.sh: line 60: }
: No such file or directory
: not found.sh: line 64: }
: not found.sh: line 66:
: not found.sh: line 71:
: not found.sh: line 72: }
: not found.sh: line 78:
IPCamsBlock.sh: local: line 79: not in a function
: not found.sh: line 80:
IPCamsBlock.sh: shift: line 83: Illegal number: 2

Can someone help me
Thanks

Try explicitly converting the script to Unix LF format...

dos2unix /jffs/scripts/IPCamsBlock.sh

 

[FredTheFrog]

Hello,
When i try to run the scripts i'm getting the following errors
<snip!>
Can someone help me
Thanks

Latest versions of Merlin firmware (you do update, don't you?) allow you to disable outbound internet access on a device-basis, making this wonderful script (I formerly used it) no longer necessary.

 

[Sebastien Bougie]

Try explicitly converting the script to Unix LF format...

dos2unix /jffs/scripts/IPCamsBlock.sh

Thanks that fix my problem
Have a nice day