What's new

IPTABLES to Block Connections

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

clvk07

Senior Member
Hi

I have a rule to block traffic using IPTABLES

DROP all -- anywhere anywhere
admin@AC88SMB:/tmp/home/root# iptables --list | grep DROP
DROP icmp -- anywhere anywhere icmp echo-request
DROP all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere
DROP all -- unn-46-234-119-XXX.10gbps.io anywhere
Chain FORWARD (policy DROP)

but it seems that the router still establishes connection:

tcp 192.168.1.41:38965 46.234.119.XXX:25463 ESTABLISHED

any ideas?
 
Here the full rules. I just added the block using iptables -A INPUT -s IP-ADDRESS -j DROP
everything else is unchanged

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:4672
ACCEPT     udp  --  anywhere             anywhere             udp dpt:4665
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4662
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:52000
ACCEPT     udp  --  anywhere             anywhere             udp dpt:52000
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1194
ACCEPT     all  --  anywhere             anywhere
DROP       icmp --  anywhere             anywhere             icmp echo-request
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTA
BLISHED
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt
:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8082
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     icmp --  anywhere             anywhere             icmp !echo-request
DROP       all  --  anywhere             anywhere
DROP       all  --  unn-46-234-119-XXX.10gbps.io  anywhere

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:4672
ACCEPT     udp  --  anywhere             anywhere             udp dpt:4665
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4662
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:52000
ACCEPT     udp  --  anywhere             anywhere             udp dpt:52000
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1194
ACCEPT     all  --  anywhere             anywhere
DROP       icmp --  anywhere             anywhere             icmp echo-request
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTA
BLISHED
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt
:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8082
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     icmp --  anywhere             anywhere             icmp !echo-request
DROP       all  --  anywhere             anywhere
DROP       all  --  unn-46-234-119-XXX.10gbps.io  anywhere

Chain PControls (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain SECURITY (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,
RST,ACK/SYN limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,
RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,
RST,ACK/RST limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,
RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request
limit: avg 1/sec burst 5
DROP       icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG leve
l warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere
 
There are at least 2 problems.
1) You have added your rule to the end of the INPUT chain. This is pointless as the preceding rule drops everything that has reached that point.
2) If you want to block a client on your LAN you need to use the FORWARD chain (which you haven't shown), not the INPUT chain.
 
Sorry here the forward chain

is this syntax correct to block: iptables -I FORWARD -d sou.rce.ip.add -j DROP

Code:
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTA
BLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
ACCEPT     all  --  anywhere             anywhere
 
So you want stop one specific client accessing one specific site? You could just do that in the GUI using the Network Services Filter.


iptables -I FORWARD -d <web-address> -s <client-address> -j DROP
 
So you want stop one specific client accessing one specific site? You could just do that in the GUI using the Network Services Filter.


iptables -I FORWARD -d <web-address> -s <client-address> -j DROP


this in the command line worked. Thanks. Network filtering services wouldn't work even though the change made was showing up in iptables --list. Only difference is the using the command line it the protocol shows ALL but using network services only UDP or TCP
 
this in the command line worked. Thanks. Network filtering services wouldn't work even though the change made was showing up in iptables --list. Only difference is the using the command line it the protocol shows ALL but using network services only UDP or TCP
NSF should work but there are two things to be aware of.

1) NSF doesn't block pings because they are ICMP, not TCP or UDP. But that doesn't matter if all you want to do is block websites (which are TCP).

2) Depending on the firmware you are using you may see an option in NSF to block the protocol "TCP ALL". DO NOT USE THIS. Use "TCP" instead. TCP ALL is a bitmask for the TCP flags - it is not what you want.
 
2) Depending on the firmware you are using you may see an option in NSF to block the protocol "TCP ALL". DO NOT USE THIS. Use "TCP" instead.
Good reminder for everyone!

@RMerlin - I removed this option from my fork. I don't recall seeing you pick that one up....you may want to consider it.
 
Last edited:
Good reminder for everyone!

@RMerlin - I removed this option from my fork. I don't recall seeing you pick that one up....you may want to consider it.

I don't see any reason to remove it. TCP ALL allows you to drop any TCP packet types, which means dropping SYN, ACK, etc...
 
Doesn't matter if it is TCP or TCP ALL, unless rules is added with the IPTABLE command (which change the block to ALL rather than TCP ) the router Network filtering services (AC88U MERLIN .59) doesn't not seems to block traffic.

Log connection Entry tcp 192.168.1.41:56547 46.234.119.XXX:25463 ESTABLISHED

IPTABLE
Chain FORWARD (policy DROP)
target prot opt source destination

DROP tcp -- anywhere unn-46-234-119-XXX.10gbps.io
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top