Respond to ping on only 1 ip address and block all others.

[E.S]

Can anyone help me with a problem that I have.

I have an asus ac3200 running merlin, how would I go about setting it up so that respond to ping only works on one ip/subnet.

Basically I want to setup thinkbroadbands quality monitor so that only their ip/subnet will get ping replies from the ac3200 router and everything else doesnt get ping replies.

Its just that I am having vdsl problems and I need to have the line monitored to see exactly what all is happening, but I dont want to do that at the cost of having the whole internet being able to ping me.

Is this doable ?

thanks

 

[ColinTaylor]

It should be possible if there is a consistent IP address that thinkbroadband uses.

Disable "Respond Ping Request from WAN" in the GUI and then create a /jffs/scripts/firewall-start script as follows:

#!/bin/sh

iptables -I INPUT -p icmp -s 80.249.99.164/28 -j ACCEPT

UPDATE: Changed IP range as per recommendation: http://www.thinkbroadband.com/faq/sections/bqm.html#314

 

[E.S]

Hi Colin and thank you for your reply.

I dont mean to sound dumb, but I have never used iptables before and have no idea how I would go about doing what you just said.

Ok, I figured its done by command line, so I ssh/putty into the router.

And then I create a new script with the code you so kindly shared.

That part I have grasped, but since iptables is new to me, I dont know exactly the steps I should take to get to the end result.

Given time I will figure it out with a little reading up on the subject.

But I would greatly appreaciate some pointers with what commands to use etc, only if you have the time to do so.

Thanks again for your help, it will definetly help with what I am trying to accomplish.

E.S


EDIT

Ok, I have got into the router via ssh, directly from /tmp/home/root I ran the code, would that be all there is to it, just logging in and and without changing directories just run that code you pasted above ?

 

[ColinTaylor]

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

Hi E.S,

You need to put a script called "firewall-start" in the /jffs/scripts directory.

The script contains just those 2 lines (3 if you count the blank line) that I showed you above. See the link above about User Scripts.

To create the script you can use the routers built-in editor, vi. But vi is not user friendly - so if you don't already know how to use it find an alternative method.

You could do this to create the firewall-start script instead of using an editor:

cd /jffs/scripts
echo "#!/bin/sh" > firewall-start
echo >> firewall-start
echo "iptables -I INPUT -p icmp -s 80.249.99.164/28 -j ACCEPT" >> firewall-start
chmod 777 firewall-start

Then reboot the router. Assuming you have enabled the running of user scripts in the GUI it should now be working.

P.S. Seeing your edit above: You can just log into the router and type the single iptables command and it will work. The problem is that when you reboot the router the command will be forgotten. Therefore we create a user script that runs at boot time which issues that command automatically.

 

[E.S]

Ahk, I have got it now, thats cleared up the confusion.

That has made it much clearer for me to grasp and understand.

Thanks again for your help, it really is appreaciated.

 

[E.S]

Thats the ticket

Thank you so much for your help colin, hopefully I can now start figuring out whats wrong with my fttc hookup.

Cheers

E.S