Posted: Wed Nov 01, 2017 12:08 Post subject: Access Restrictions
I'm trying to block apple updates in r33607 on a Linksys WRT3200ACM.
Settings are as follows:
filter
client IP range 192.168.25.1 - 192.168.25.254
everyday
24 hours
Block websites: mesu.apple.com appldnld.apple.com
These address when blocked in Tomato would block any apple downloads with it be in the app store or iOS OTA updates from happening.
However, it's not blocking the URLs in DD-WRT. Am I overlooking something? I also tried blocking the mac address of the iPhone in question with the same results.
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Wed Nov 01, 2017 13:16 Post subject:
Access Restrictions is blocking http sites but not https
you can block https or they corresponding IP via iptables rules or additional DNSmasq rules...
add those rules in administration>commands>save firewall
iptables -I FORWARD -s 17.253.3.205 -j DROP
iptables -I FORWARD -s 17.253.3.207 -j DROP
iptables -I FORWARD -s 17.253.3.208 -j DROP
iptables -I FORWARD -s 17.253.3.210 -j DROP _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Access Restrictions is blocking http sites but not https
you can block https or they corresponding IP via iptables rules or additional DNSmasq rules...
add those rules in administration>commands>save firewall
iptables -I FORWARD -s 17.253.3.205 -j DROP
iptables -I FORWARD -s 17.253.3.207 -j DROP
iptables -I FORWARD -s 17.253.3.208 -j DROP
iptables -I FORWARD -s 17.253.3.210 -j DROP
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Thu Nov 02, 2017 12:41 Post subject:
i do not recall "multiport" variable to work with current iptables, you need a rule for each port to block, very inconvenient i know...
also i do not believe you use the correct syntax
mesu.apple.com appldnld.apple.com thise two sites ware corresponding with those IP's i posted but apple might
have a range of other IP's to block once you find them all
you have to create rules for them, try to add destination
as well source
iptables -I FORWARD -p tcp -d 17.253.13.202 -m multiport --dports 8080,80,443 -j DROP this rule suppose to block outbound connection (destination)
you have to change -d with -s (source) for inbound
try something like
iptables -I FORWARD -s 17.253.3.205 -d your local ip range -j DROP
just do keep in mind this ip range you chose is not very good, you have to change your router address to something that is easy to calculate use:
https://www.ipaddressguide.com/cidr#range
or try this way
iptables -t filter -I FORWARD -s {IP of your local host you want to block} -p tcp -d {IP of apple} -j REJECT _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Posted: Thu Jan 04, 2018 9:30 Post subject: Re: Access Restrictions
CantRepeat wrote:
Settings are as follows:
filter
client IP range 192.168.25.1 - 192.168.25.254
everyday
24 hours
Block websites: mesu.apple.com appldnld.apple.com
Not sure if you've figured it out or not. It works for me. I used these same settings in DD-WRT r33772 but the only extra thing I did was under "Blocked Services", check mark "Catch all P2P Protocols" and in the pull down menu select "apple_itunes". Save and Apply Settings. Done!
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Thu Jan 04, 2018 11:27 Post subject:
CantRepeat wrote:
Thanks again. I assume they do have a range and I tried a bunch that I found.
The other stuff I posted is something I found on the forums while searching blocking.
Code:
iptables -I FORWARD -s 23.193.108.117 -j DROP
iptables -I FORWARD -s 23.210.106.39 -j DROP
iptables -I FORWARD -s 17.253.13.201 -j DROP
iptables -I FORWARD -s 17.253.13.202 -j DROP
iptables -I FORWARD -s 17.253.31.205 -j DROP
iptables -I FORWARD -s 17.253.31.203 -j DROP
iptables -I FORWARD -s 17.253.31.204 -j DROP
iptables -I FORWARD -s 17.253.31.202 -j DROP
iptables -I FORWARD -s 17.253.3.205 -j DROP
iptables -I FORWARD -s 17.253.3.207 -j DROP
iptables -I FORWARD -s 17.253.3.208 -j DROP
iptables -I FORWARD -s 17.253.3.210 -j DROP
The store and OTAs still load.
you may add those with -d (destination) as well as you already have application installed on your computer and it try's to connect to...
on DD-WRT FORWARD is the WAN interface and (-s) is source (inbound) and -d is destination (outbound)
example:
iptables -I FORWARD -d 17.253.3.210 -j DROP _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Sat Jan 06, 2018 14:25 Post subject:
rizla7 wrote:
Alozaros wrote:
i do not recall "multiport" variable to work with current iptables
Quote:
iptables -A INPUT -p tcp -m multiport --dports 22,23,80,8080 -j DROP
iptables -A INPUT -p tcp --dport 50000:60000 -j DROP
1. ports 22,23,80,8080
2. all ports 50,000-60,000
Can't you block that junk by DNSMasq? Or just the port, unless it uses HTTPS. :\
for some odd reason multiport is working only for those ports on my routers 22,23,80,443,8080
if you try to block those specific ports with it... it was not working
25,138,139,445,31337 and few more
but in this format is ok...
iptables -I FORWARD -p tcp --dport 139 -j DROP
iptables -I FORWARD -p tcp --dport 445 -j DROP
iptables -I FORWARD -p tcp --dport 31337 -j DROP
so many lines in my set up would ve been nicely replaced by a single rule, sadly odds are against me _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Sun Jan 07, 2018 12:59 Post subject:
well i already tested it with multiport command on my Atheros unit and all those ports on TCP and clearly it was not working and no results ware present by -vnL that's why i wonder if multiport works on other devices...
A blocke was showing me that this command works on his Broadcom unit that i test it it with various ports and was not working even on my Broadcom unit R7000...
https://www.dd-wrt.com/wiki/index.php/Port_Blocking it says
its working but its not working for different ports that 80, 443, 21 ,22, 23 8080 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
one line each yes they are there
just test it it on my TPlink 1043NDv2 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Hello everybody. I can not solve the problem of blocking a user by mac address. I have DD-WRT v3.0-r33986 std (12/04/17) in netgear R7000.
I can add the configuration to the access restriction, but the PC still goes online.
When I tried to add via iptables -I FORWARD -m mac --mac-source 00:00:00:00:00:38 -m time --weekdays Mo, Tu, We, Th, Fr --timestart 10: 02 --timestop 17:02 -j REJECT
I get the answer: iptables v1.3.7: Could not find match `time'
and if I change to iptables -I FORWARD -m mac --mac-source 00:00:00:00:00:38 -j REJECT
firewall takes command, but the computer still has access to Internet.
And yet, when I press "save" - my router reboots.
Help me fix it please.
Thanks!
it is a smaller version of iptables not the full implementation, so some commands will not be available.
As for the connection, more than likely what is happening is that you are hitting a RELATED or ESTABLISHED rule that is forwarding the traffic before you hit the rule you just added.
You probably want something of the form:
iptables -I FORWARD 1 -m mac --mac-source 00:00:00:00:00:38 -j REJECT
this will put it as the first forwarding rule and ahead of the RELATED or ESTABLISHED rule
