Parental Controls overwrite iptable rules from nat-start

[Dypek]

I am using Asuswrt-Merlin on an ASUS RT-AC3100 (previously on an RT-N66U), and am trying to setup iptables rules to block outbound access to specific MACs or IPs (smart plugs, smart switches, cameras, etc). I have iptables rules in nat-start, which are applied properly on startup, I can see my rules via `iptables -L`, but as soon as I enable Parental Controls, the rules in Parental Controls overwrite all of my rules that were configured in nat-start, how can I use both simultaneously? If PC is enabled on startup, same thing, PC rules overwrite custom iptable rules in nat-start.

If I put my rules in firewall-start, all Parental Control rules get overwritten.

I want the convenience of enabling/disabling devices in the Parental Controls interface (or via the router app), to block client (kids/guests) devices on demand, without having to ssh in and run an iptables command, whilst having all my "smart" devices permanently blocked in nat-start. Parental Controls only allows up to 16 devices, so having my 20+ smart appliances along with multiple kid devices is not an option there anymore, although this was my solution when I had up to 16 devices, for many years.

Thanks.

 

[ColinTaylor]

What does your script look like? From what you've said so far it sounds like you should be using firewall-start and not nat-start.

 

[Dypek]

I must have accidentally had both nat-start and firewall-start running the same set of rules when I was testing this, you are correct, with the rules in firewall-start only, I have my DROP rules prepended to the PC rules in the FORWARD chain, thanks for your help.

 

[SKay]

Hello Dypek, maybe you can give me some more inside in the iptables on a ASUS router (Merlin). I was trying to add a cronjob to disable a mac-address at a given time at night and remove it again in the morning. I did get this to work but as soon as I look in the ASUS app the rules I make disappear. Do you know how to prevent this? I want to be more flexible with the Time Scheduling Parental Control gives me (only hourly blocks). Thanks, Kay

 

[Dypek]

Hello Dypek, maybe you can give me some more inside in the iptables on a ASUS router (Merlin). I was trying to add a cronjob to disable a mac-address at a given time at night and remove it again in the morning. I did get this to work but as soon as I look in the ASUS app the rules I make disappear. Do you know how to prevent this? I want to be more flexible with the Time Scheduling Parental Control gives me (only hourly blocks). Thanks, Kay

I was able to reproduce this by turning PC off in the browser interface, my MAC that I had just previously added to the DROP policy via command line (same as what your cron would do) disappeared after toggling to off, however all my MACs that I have setup in firewall-start are still there, so there is something that resets this chain to the state after startup (after firewall-start runs). I assume accessing PC in the app might be doing the same thing as toggling in the browser, resetting your rules.

However, once I re-added the DROP rule via command line, toggling PC no longer removed the rule from the list, so I am not sure how PC is determining how to overwrite the FORWARD chain when toggling PC.

 

[SKay]

Can you maybe give an example of a block line you use in your firewall-start? and also where the firewall-start is located? (locate isn't available unfortunately)

 

[Dypek]

Can you maybe give an example of a block line you use in your firewall-start? and also where the firewall-start is located? (locate isn't available unfortunately)

#!/bin/sh

# block <MAC ADDRESS>
iptables -t filter -I FORWARD -m mac --mac-source <MAC ADDRESS> -j DROP

file is here: /jffs/scripts/firewall-start
https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts#firewall-start

 

[SKay]

I wonder if can create 2 firewall-start scripts (firewall-start1 and firewallstart2) and then create a cronjob that renames them to firewall-start at a given time. Maybe that way it's possible to have a more flexible block time schedule for the kids.

or maybe just entries like there are now if you look at iptables -S FORWARD:
-A FORWARD -i br0 -m time --timestart 08:00:00 --timestop 21:00:00 --weekdays Sun --kerneltz -m mac --mac-source "mac-address" -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 21:00:00 --weekdays Mon --kerneltz -m mac --mac-source "mac-address" -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 21:00:00 --weekdays Tue --kerneltz -m mac --mac-source "mac-address" -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 21:00:00 --weekdays Wed --kerneltz -m mac --mac-source "mac-address" -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 21:00:00 --weekdays Thu --kerneltz -m mac --mac-source "mac-address" -j PControls
-A FORWARD -i br0 -m time --timestart 07:00:00 --timestop 22:00:00 --weekdays Fri --kerneltz -m mac --mac-source "mac-address" -j PControls
-A FORWARD -i br0 -m time --timestart 08:00:00 --timestop 22:00:00 --weekdays Sat --kerneltz -m mac --mac-source "mac-address" -j PControls
-A FORWARD -i br0 -m mac --mac-source "mac-address" -j DROP

and change the times to whatever I like.