how to add/remove rules in filter_rules

[swede]

I want to block a ip from accessing wan, only lan

I used from GUI: Firewall => Network services filter

I added two rules( as seen in /tmp/filter_rules) that work

-A FORWARD -i br0 -o eth0 -p udp -s 192.168.1.99 -j DROP
-A FORWARD -i br0 -o eth0 -p tcp -s 192.168.1.99 -j DROP

However I want to be able to somewhat easy turn these on and off.
My thinking was to run a script via ssh to do this.


I guess those lines above with "iptables" in front of them are what adds
the restriction for that ip.

resulting in iptables -L these two lines

DROP udp -- tv1dd1ac16b520 anywhere
DROP tcp -- tv1dd1ac16b520 anywhere

1.
My question is could I add the rules directly with the hostname tv1dd1ac16b520
instead of ip-address so I don't have to make that adress static?

Do I have to insert at a certain line number for it to work?

How would such a command look?


2.
What is the command to remove these two rules again

*edit*

I could possibly use
iptables -L FORWARD -n --line-numbers | grep 192.168.1.99 | cut -d' ' -f1

to get the linenumbers to delete with

iptables -D FORWARD #linenumber

Here I have to use ip to and not hostname? could this be changed?
Could I delete in another easier way?

3.
Do I have to save/commit updates to iptable with iptable-save?


4.
Maybe I could manipulate the file /tmp/filter_rules instead and then save/commit that somehow


Any help would be most welcome

 

[ColinTaylor]

iptables only works with static addresses. You can specify a host name if you want but all it does is translate it to an IP address. It's the same with "iptables -L", it takes the IP addresses and shows you the host names currently associated with them. It is best to just use IP addresses (and iptables -L -n -v)

You don't have to do anything as complicated as you are suggesting. Just use the following commands;

To insert (I) the rules:
iptables -I FORWARD -i br0 -o eth0 -p udp -s 192.168.1.99 -j DROP
iptables -I FORWARD -i br0 -o eth0 -p tcp -s 192.168.1.99 -j DROP

To delete (D) the rules:
iptables -D FORWARD -i br0 -o eth0 -p udp -s 192.168.1.99 -j DROP
iptables -D FORWARD -i br0 -o eth0 -p tcp -s 192.168.1.99 -j DROP

 

[swede]

Thanks @ColinTaylor that seems to work like a charm.

three questions

1.
For TCP there are several categories. SYN, ACK, FIN, RST, URG, PSH

Should I DROP all of them?

The ALL target seems not to work?

2.
I don't really understand the difference between iptables -I and -A i.e Insert and Append
You seem to think it is better with insert. What is the logic behind that decision?


3.
Is ssh login availible on guestnetworks?


EPILOG.
For reference here comes my script
note the use of getent to look up ip-number of hostname as to avoid static ip on router.
(Couldn't use arp since was not always present in arp cache)

#!/bin/bash

#IPADDRESS_TV=$(arp -a | grep tv1dd1ac16b520 | cut -d' ' -f2 | sed 's/[()]//g')
IPADDRESS_TV=$( getent hosts tv1dd1ac16b520 | cut -d' ' -f1)

echo "$IPADDRESS_TV"

ssh admin@router.asus.com <<-ENDSSH
#commands to run on remote host
if iptables -L FORWARD -n --line-numbers | grep -q "$IPADDRESS_TV"; then

# To delete (D) the rules:
iptables -D FORWARD -i br0 -o eth0 -p udp -s "$IPADDRESS_TV" -j DROP
iptables -D FORWARD -i br0 -o eth0 -p tcp -s "$IPADDRESS_TV" -j DROP​

else

# To insert (I) the rules:
iptables -I FORWARD -i br0 -o eth0 -p udp -s "$IPADDRESS_TV" -j DROP
iptables -I FORWARD -i br0 -o eth0 -p tcp -s "$IPADDRESS_TV" -j DROP​

fi
ENDSSH

 

[ColinTaylor]

1) No, don't use "TCP ALL", just "TCP".

2) The order of the rules is very important.

The file "/tmp/filter_rules" is used when the rules are initially created. Because they are (A)ppended, they appear in the chain in this order. You want to modify the currently running rules. Any rules you (A)ppend will appear at the end on the chain. There are some existing rules in the forward chain that might interfere with what you are doing (e.g. -A FORWARD -i br0 -j ACCEPT). By (I)nserting your rules at the beginning of the chain you are ensuring that your rules have precedence.

3) I don't see why not.

 

[swede]

3) I don't see why not.

Can I block the ssh on the guestnetwork then?

*edit* Just tried and ssh was not accesible via guestnetwork

Alot of thanks for support!

 

[ColinTaylor]

@swede: Can I ask what router model you have and what version of the firmware you are running?

 

[swede]

Asus rt-n66u
Merlin Fork Firmmware:374.43_2-14E1j9527

I have guestnetwork enabled with
Access Intranet: off

Maybe that's why ssh cannot be accessed from it?
https://router.asus.com:8444/Advanced_FirmwareUpgrade_Content.asp
I have

(Merlin fork)​

 

[ColinTaylor]

Thanks for the info.

Access Intranet: off

Maybe that's why ssh cannot be accessed from it?

Yes, that would make sense.