iptables rule not working

[v1rt]

I'm debugging my firewall rules because the rules I added for League of Legends didn't work. So I duplicated one of the rule and blocked port 80. I also checked the time on my router as well as the time on my laptop. They're in sync'd.

br0 interface is the interface for the internal network(where my laptop is)
eth0 interface is the outer interface to the outside

I ran this manually

iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 80 -m time --timestart 09:37:00 --timestop 09:39:00 --weekdays Mon --kerneltz -j DROP

as well as this

iptables -vnL

snippet from output

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:80 TIME from 09:37:00 to 09:39:00 on Mon

Then I started checking it from my laptop before 9:37 and at 9:37 but it didn't blocked me

 

[ColinTaylor]

Showing us a single line for the FORWARD chain isn't that useful. That said, I'd guess that as you're appending (-A) the rule to the end of the chain there is already a preceding rule that is accepting the traffic. Try inserting (-I) you rule at the beginning of the chain.

 

[coldwizard]

I'm debugging my firewall rules because the rules I added for League of Legends didn't work. ...

What does the option kerneltz do? I don't see it in the output you show. I don't use it on rules I have made that are time limited.

Here is one post that I made with time limited rules.
http://www.snbforums.com/threads/how-to-disconnect-local-pc-from-wifi.21342/#post-155325

Please run
iptables -nvL FORWARD --lin
and give the snippet output of that command for the rule in question.

Are you attempting to break an existing connection or just stop new connections?

 

[v1rt]

Showing us a single line for the FORWARD chain isn't that useful. That said, I'd guess that as you're appending (-A) the rule to the end of the chain there is already a preceding rule that is accepting the traffic. Try inserting (-I) you rule at the beginning of the chain.

oh, I don't have any -I. Everything is all -A
Could that be the reason why it's not working?

 

[v1rt]

admin@RT-AC68U-6000:/jffs/scripts# cat firewall-start
#!/bin/sh

# League of Legends Game Client
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 13:00:00 --timestop 23:59:59 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p udp --dport 5000:5500 -m time --timestart 13:00:00 --timestop 23:59:59 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 22:00:00 --timestop 23:59:59 --weekdays Fri,Sat --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p udp --dport 5000:5500 -m time --timestart 22:00:00 --timestop 23:59:59 --weekdays Fri,Sat --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 20:00:00 --timestop 23:59:59 --weekdays Sun --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p udp --dport 5000:5500 -m time --timestart 20:00:00 --timestop 23:59:59 --weekdays Sun --kerneltz -j DROP

# Patcher and Maestro
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 8393:8400 -m time --timestart 13:00:00 --timestop 23:59:59 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 8393:8400 -m time --timestart 22:00:00 --timestop 23:59:59 --weekdays Fri,Sat --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 8393:8400 -m time --timestart 20:00:00 --timestop 23:59:59 --weekdays Sun --kerneltz -j DROP

# 2099 TCP - PVP.Net
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 2099 -m time --timestart 13:00:00 --timestop 23:59:59 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 2099 -m time --timestart 22:00:00 --timestop 23:59:59 --weekdays Fri,Sat --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 2099 -m time --timestart 20:00:00 --timestop 23:59:59 --weekdays Sun --kerneltz -j DROP

# 5223 TCP - PVP.Net
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 5223 -m time --timestart 13:00:00 --timestop 23:59:59 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 5223 -m time --timestart 22:00:00 --timestop 23:59:59 --weekdays Fri,Sat --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 5223 -m time --timestart 20:00:00 --timestop 23:59:59 --weekdays Sun --kerneltz -j DROP

# 5222 TCP - PVP.Net
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 5222 -m time --timestart 13:00:00 --timestop 23:59:59 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 5222 -m time --timestart 22:00:00 --timestop 23:59:59 --weekdays Fri,Sat --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 5222 -m time --timestart 20:00:00 --timestop 23:59:59 --weekdays Sun --kerneltz -j DROP

# 8088 Spectator Mode
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 8088 -m time --timestart 13:00:00 --timestop 23:59:59 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 8088 -m time --timestart 22:00:00 --timestop 23:59:59 --weekdays Fri,Sat --kerneltz -j DROP
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 8088 -m time --timestart 20:00:00 --timestop 23:59:59 --weekdays Sun --kerneltz -j DROP

 

[v1rt]

What does the option kerneltz do? I don't see it in the output you show. I don't use it on rules I have made that are time limited.

Here is one post that I made with time limited rules.
http://www.snbforums.com/threads/how-to-disconnect-local-pc-from-wifi.21342/#post-155325

Please run
iptables -nvL FORWARD --lin
and give the snippet output of that command for the rule in question.

Are you attempting to break an existing connection or just stop new connections?

Stop new connection
Here is the output

admin@RT-AC68U-6000:/jffs/scripts# iptables -nvL FORWARD --lin
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            TIME from 00:00:00 to 23:59:00WEBSTR match url hustl  reject-with tcp-reset
2        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            TIME from 00:00:00 to 23:59:00WEBSTR match url penth  reject-with tcp-reset
3      110 87331 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            TIME from 00:00:00 to 23:59:00WEBSTR match url playb  reject-with tcp-reset
4      20M   10G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5        0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
6    10337  709K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
7       11   627 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
8        0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0
9     126K 9674K ACCEPT     all  --  br0    eth0    0.0.0.0/0            0.0.0.0/0
10    1006 53995 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
11       0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
12       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpts:5000:5500 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu
13       0     0 DROP       udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpts:5000:5500 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu
14       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpts:5000:5500 TIME from 22:00:00 to 23:59:59 on Fri,Sat
15       0     0 DROP       udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpts:5000:5500 TIME from 22:00:00 to 23:59:59 on Fri,Sat
16       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpts:5000:5500 TIME from 20:00:00 to 23:59:59 on Sun
17       0     0 DROP       udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpts:5000:5500 TIME from 20:00:00 to 23:59:59 on Sun
18       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpts:8393:8400 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu
19       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpts:8393:8400 TIME from 22:00:00 to 23:59:59 on Fri,Sat
20       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpts:8393:8400 TIME from 20:00:00 to 23:59:59 on Sun
21       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:2099 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu
22       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:2099 TIME from 22:00:00 to 23:59:59 on Fri,Sat
23       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:2099 TIME from 20:00:00 to 23:59:59 on Sun
24       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:5223 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu
25       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:5223 TIME from 22:00:00 to 23:59:59 on Fri,Sat
26       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:5223 TIME from 20:00:00 to 23:59:59 on Sun
27       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:5222 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu
28       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:5222 TIME from 22:00:00 to 23:59:59 on Fri,Sat
29       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:5222 TIME from 20:00:00 to 23:59:59 on Sun
30       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:8088 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu
31       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:8088 TIME from 22:00:00 to 23:59:59 on Fri,Sat
32       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:8088 TIME from 20:00:00 to 23:59:59 on Sun
33       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:80 TIME from 09:37:00 to 09:39:00 on Mon

 

[coldwizard]

Stop new connection
Here is the output

4 20M 10G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 0 0 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
6 10337 709K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
[/CODE]

Meaning of "kerneltz"?
If it to select a timezone, the default is to use the current time on the router.

Since you want to stop new connections, you would insert your rules just after the rule with "state RELATED,ESTABLISHED" (4) and "state INVALID" (6) which normally do not have a rule (5) between them. So each of your commands would start with
iptables -I FORWARD 7
To insert them after rule 6 (and order does not matter in your case as they are all drops).

So for example your command
iptables -A FORWARD -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 13:00:00 --timestop 23:59:59 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP

Becomes
iptables -I FORWARD 7 -i br0 -o eth0 -p tcp --dport 5000:5500 -m time --timestart 13:00:00 --timestop 23:59:59 --weekdays Mon,Tue,Wed,Thu --kerneltz -j DROP

The reason why you place them there is for the performance for existing connections. Existing connections will stop processing at the rule (4). Any rules placed before that are evaluated even if they do not apply.

edit:
The reason you current rules do not work is they are after rule 9 which accepts the connection so stops processing rules after that one.

 

[v1rt]

What if I wanted to start from reboot, what would be a good script? I was also thinking of rerunning the script manually. I don't care if existing connections gets dropped since it's just a firewall here at home. Do you have a good working firewall-start script that I can use as a reference?

 

[v1rt]

I followed your suggestions and I restarted everything. How come, I can still access https?

admin@RT-AC68U-6000:/jffs/scripts# iptables -nvL FORWARD --lin
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            TIME from 00:00:00 to 23:59:00WEBSTR match url hustl  reject-with tcp-reset
2        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            TIME from 00:00:00 to 23:59:00WEBSTR match url penth  reject-with tcp-reset
3        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            TIME from 00:00:00 to 23:59:00WEBSTR match url playb  reject-with tcp-reset
4     1376 1449K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5        0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
6        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
7        0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:443 TIME from 20:00:00 to 23:59:59 on Mon UTC
8        0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:8088 TIME from 20:00:00 to 23:59:59 on Sun UTC
9        0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:8088 TIME from 22:00:00 to 23:59:59 on Fri,Sat UTC
10       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:8088 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu UTC
11       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:5222 TIME from 20:00:00 to 23:59:59 on Sun UTC
12       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:5222 TIME from 22:00:00 to 23:59:59 on Fri,Sat UTC
13       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:5222 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu UTC
14       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:5223 TIME from 20:00:00 to 23:59:59 on Sun UTC
15       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:5223 TIME from 22:00:00 to 23:59:59 on Fri,Sat UTC
16       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:5223 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu UTC
17       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:2099 TIME from 20:00:00 to 23:59:59 on Sun UTC
18       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:2099 TIME from 22:00:00 to 23:59:59 on Fri,Sat UTC
19       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:2099 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu UTC
20       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpts:8393:8400 TIME from 20:00:00 to 23:59:59 on Sun UTC
21       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpts:8393:8400 TIME from 22:00:00 to 23:59:59 on Fri,Sat UTC
22       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpts:8393:8400 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu UTC
23       0     0 DROP       udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpts:5000:5500 TIME from 20:00:00 to 23:59:59 on Sun UTC
24       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpts:5000:5500 TIME from 20:00:00 to 23:59:59 on Sun UTC
25       0     0 DROP       udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpts:5000:5500 TIME from 22:00:00 to 23:59:59 on Fri,Sat UTC
26       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpts:5000:5500 TIME from 22:00:00 to 23:59:59 on Fri,Sat UTC
27       0     0 DROP       udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpts:5000:5500 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu UTC
28       0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpts:5000:5500 TIME from 13:00:00 to 23:59:59 on Mon,Tue,Wed,Thu UTC
29       0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
30       0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0
31       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
32       3   261 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

 

[v1rt]

Oh, it's UTC

 

[v1rt]

I got it working now. https is now blocked! I restored --kerneltz.
I'm not sure my asus is in UTC.

 

[coldwizard]

I got it working now. https is now blocked! I restored --kerneltz.
I'm not sure my asus is in UTC.

Great, now that it's working, the next step is to make the insert location a variable so that if a configuration change causes some change in the rules, the script still puts the new rules in the correct place.
The following code will find the location dynamically.

# Locate both "RELATED,ESTABLISHED" and "INVALID" rules to place the Inserts after

InsLoc=`iptables -nvL INPUT --lin | grep -A 1 -i "RELATED,ESTABLISHED" | tail -n 1 | awk '{ print $1 }'`
if [ "x$InsLoc" == "x" ]
then
   # echo "Rule RELATED,ESTABLISHED not found"
   # Add rule to continue existing connections
   iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
   InsLoc=2
fi
#
InsLoc1=`iptables -nvL INPUT --lin | grep -A 1 -i "INVALID" | tail -n 1 | awk '{ print $1 }'`
if [ "x$InsLoc1" == "x" ]
then
   # echo "Rule INVALID not found"
   # Add rule to Drop unexpected traffic
   iptables -I INPUT $InsLoc -m conntrack --ctstate INVALID -j DROP
   InsLoc1=`expr $InsLoc + 1`
fi
#
if [ $InsLoc1 -gt $InsLoc ]
then
   # use which ever comes last
   InsLoc=$InsLoc1
fi
echo "InsLoc=$InsLoc"
#

Put that at the beginning of your file, and change the iptables commands replaceing the "7" with "$InsLoc".

Once you have tested it manually, to make it happens on reboot, rename the file to
/jffs/scripts/firewall-start

chmod 700 firewall-start

Test reboot and you are done.

 

[v1rt]

Cool! I'll try it tonight

 

[v1rt]

I've incorporated your code @coldwizard , it worked well!
Thanks!