"MAC address White-List" script fails in Merlin

[list]

Hello,

Asus RT-AC88u
Merlin version 386.2_4

I'm switching from dd-wrt to Merlin.
Unfortunately, I can't get my dd-wrt "MAC address White-List" script to run in Merlin.
It works for dd-wrt, but fails for Merlin.

Below is my "White List" firewall script.
It grants access to devices with MAC addresses contained in its list, and blocks all other devices.
This script filters traffic on *ALL* networks: LAN, WiFi, and GUEST.

#!/bin/sh

# NOTE: This script is based on "forum.dd-wrt.com/phpBB2/viewtopic.php?t=328075&highlight=man+whitelist"

# Initial setup (install kernel module, create chain, etc.)
insmod      xt_comment   #allow iptables comments: "-m comment ..." (needed by Asus Merlin only)
iptables -N MAC_WhiteList                           -m comment --comment "Create user-defined MAC_WhiteList chain"
iptables -A MAC_WhiteList -j DROP -s 169.254.0.0/16 -m comment --comment "Appends jump: DROP 169.254.0.0/16 to MAC_WhiteList chain.  (169.254.x.x allows communication between devices without using DHCP/static IP addresses.)"

# Device(s) (MAC address rules):
iptables -A MAC_WhiteList -j RETURN -m mac --mac-source <MAC address-1> -m comment --comment "device-1"
iptables -A MAC_WhiteList -j RETURN -m mac --mac-source <MAC address-2> -m comment --comment "device-2"
iptables -A MAC_WhiteList -j RETURN -m mac --mac-source <MAC address-3> -m comment --comment "device-3"

# Interface rules
iptables -A MAC_WhiteList -j DROP                 -m comment --comment "Append jump: DROP to bottom of MAC_WhiteList chain"
iptables -I FORWARD 1     -j MAC_WhiteList -i br0 -m comment --comment "Prepend jump: MAC_WhiteList br0 LAN/WiFi           interface to top of FORWARD chain"
iptables -I INPUT   1     -j MAC_WhiteList -i br0 -m comment --comment "Prepend jump: MAC_WhiteList br0 LAN/WiFi           interface to top of INPUT chain"
iptables -I FORWARD 1     -j MAC_WhiteList -i br1 -m comment --comment "Prepend jump: MAC_WhiteList br1 2.4 GHz GUEST WiFi interface to top of FORWARD chain"
iptables -I INPUT   1     -j MAC_WhiteList -i br1 -m comment --comment "Prepend jump: MAC_WhiteList br1 2.4 GHz GUEST WiFi interface to top of INPUT chain"
iptables -I FORWARD 1     -j MAC_WhiteList -i br2 -m comment --comment "Prepend jump: MAC_WhiteList br2 5.0 GHz GUEST WiFi interface to top of FORWARD chain"
iptables -I INPUT   1     -j MAC_WhiteList -i br2 -m comment --comment "Prepend jump: MAC_WhiteList br2 5.0 GHz GUEST WiFi interface to top of INPUT chain"

Modifications to move this script to Merlin:
1) Changed the interface names to br0, br1, and br2.
("route -n" gives the names of the interfaces as: br0 (LAN/WiFi), br1 (2.4GHz), and br2 (5.0GHz).)
2) Added "insmod xt_comment" to allow comments in the iptables.

To install this script, I "scp" it into the router to "/jffs/script/firewall.user". Then ssh login, and make it executable.
I manually run it, and get no errors.
Next, reboot. ssh login again. Check that the rules have loaded by "iptables -L -v -n". All rules have loaded.
Then I test it with one device on the MAC filter list, and another device not on the MAC filter list.
Unfortunately, it allows *ALL* devices access to the internet. No device is blocked.

I'd appreciate any guidance as to what I'm doing wrong in my Merlin port.

Thank you.

 

[dave14305]

To install this script, I "scp" it into the router to "/jffs/script/firewall.user". Then ssh login, and make it executable.
I manually run it, and get no errors.
Next, reboot. ssh login again. Check that the rules have loaded by "iptables -L -v -n". All rules have loaded.

Is your script being called by /jffs/scripts/firewall-start ? firewall.user has no meaning in Merlin, so it needs to be called from within firewall-start.

 

[list]

Hello dave14305,
Thank you for your reply.

Based on your file naming information:
I placed my firewall script in "/jffs/scripts/firewall-start".
Rebooted. Listed the firewall rules with "iptables -L -v -n | more". The new rules from "/jffs/scripts/firewall-start" were present.
Tested the device access. It worked! MAC filtering worked.

* Question:
The directory "/jffs/scripts/" was initially EMPTY. There was no *SYSTEM* file named "/jffs/scripts/firewall-start".
So I just named my *CUSTOM* file "/jffs/scripts/firewall-start".
Shouldn't there exist a *SYSTEM* file into which I add a call to my *CUSTOM* file?
Is it safe for me to name my *CUSTOM* file "/jffs/scripts/firewall-start"?

Again, thanks for the help. Much appreciated.

 

[dave14305]

Shouldn't there exist a *SYSTEM* file into which I add a call to my *CUSTOM* file?

No, since they're optional. They are invoked if they exist, but not otherwise.
Wiki:

User scripts

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[list]

Hello dave14305,
Thank you for the instructive link, and for the help solving my problem.

 

[Benjamin John]

@list I'm trying to implement this at 11 PM and revert it at 7 AM. Any idea on how to get this going?
How would I reverse the whitelist and allow ALL at 7AM?
Thank You