If I put the same commands but instead on bri1(the bridge dedicated to my Guest Wifi Network) they work, all the devices connected to the guest network on bri1 can't access any of those ports.
Why does the same command works on bri1 but not on ath0 ??
I am comfortable around iptables commands and understand the syntax, I really don't understand why it's not working.
Any suggestions ?? _________________ Today, is allways a Good day!
________________________________
Atheros: tp-link wr940N - Gateway \ DNSMasq \ AP
Last edited by Naovaz on Tue Aug 21, 2018 16:02; edited 1 time in total
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Fri Aug 17, 2018 4:16 Post subject:
yep there is something weird with iptables this days the new builds on some particular routers even those restrictions do
not work, as well changing microserver port different from port 80 is impossible i guess BS cuts off some commands to save space or to lock port 80 for GUI....
can you try to change microserver port and try with different ports... i ve also tried to block ath interface but it didn't work in the past and i went to br1 that worked well, but now br1 blocking is not working on my 1043 v2 too _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
First of all thnks for all of your FeddBack.
I'm going to try to addrress all of your responses:
------JXM --------
In my router, ath0 is were my wifi is configured.
In the link you posted they address the Usual, but that doesn't mean its going to allways be like that. In this situacions you need to to check or with ifconfig or in the router web GUI, what is the network you want to configure.
------Alozaros---------
Thanks for the sugestion, maybe I'm going to try some sneacky stuff putting the network in other bridge and try to filter that bridge itself. If i do so i will report with some feedback.
--------Mile-Lile-----------
I are right, when I wrote this I was in a rush and skiped alot of usefull information, sory about that.
So to better understand my network here it is:
>ifconfig
#Main Wifi Network
ath0 Link encap:Ethernet HWaddr <MAC>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3061 errors:0 dropped:0 overruns:0 frame:0
TX packets:7479 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:340808 (332.8 KiB) TX bytes:9627967 (9.1 MiB)
#Guest-Wifi Network
ath0.1 Link encap:Ethernet HWaddr <MAC>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:trigger_out - [0:0]
:lan2wan - [0:0]
:grp_1 - [0:0]
:advgrp_1 - [0:0]
:grp_2 - [0:0]
:advgrp_2 - [0:0]
:grp_3 - [0:0]
:advgrp_3 - [0:0]
:grp_4 - [0:0]
:advgrp_4 - [0:0]
:grp_5 - [0:0]
:advgrp_5 - [0:0]
:grp_6 - [0:0]
:advgrp_6 - [0:0]
:grp_7 - [0:0]
:advgrp_7 - [0:0]
:grp_8 - [0:0]
:advgrp_8 - [0:0]
:grp_9 - [0:0]
:advgrp_9 - [0:0]
:grp_10 - [0:0]
:advgrp_10 - [0:0]
:logbrute - [0:0]
-A logbrute -m recent --set --name BRUTEFORCE --rsource
-A logbrute -m recent ! --update --seconds 60 --hitcount 4 --name BRUTEFORCE --rsource -j RETURN
-A logbrute -m limit --limit 1/min --limit-burst 1 -j RETURN
-A logbrute -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p udp -i eth1 --dport 520 -j DROP
-A INPUT -p udp -i br0 --dport 520 -j DROP
-A INPUT -p udp --dport 520 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i br1 -j ACCEPT
-A INPUT -i eth1 -p icmp -j DROP
-A INPUT -p igmp -j DROP
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i br1 -p udp --dport 67 -j ACCEPT
-A INPUT -i br1 -p udp --dport 53 -j ACCEPT
-A INPUT -i br1 -p tcp --dport 53 -j ACCEPT
-A INPUT -i br1 -m state --state NEW -j DROP
-A INPUT -i br1 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o br1 -j ACCEPT
-A FORWARD -i br1 -j ACCEPT
-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br0 -o eth1 -j ACCEPT
-A FORWARD -i br1 -o eth1 -j ACCEPT
-I FORWARD -o eth1 -s 192.168.2.1/24 -p tcp --dport 1723 -j ACCEPT
-I FORWARD -o eth1 -s 192.168.2.1/24 -p gre -j ACCEPT
-A FORWARD -i eth1 -o br0 -j TRIGGER --trigger-type in
-A FORWARD -i br0 -j trigger_out
-I FORWARD -i br1 -d 192.168.2.1/255.255.255.0 -m state --state NEW -j DROP
-A FORWARD -i br0 -o br1 -m state --state NEW -j DROP
-A FORWARD -i br0 -m state --state NEW -j ACCEPT
-A FORWARD -j DROP
-I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A logreject -p tcp -j REJECT --reject-with tcp-reset
COMMIT
NOTE: I removed some perssonal info about the Devices's and IP's but you can still understand the network topology and configurations. Everytime you see something like <PublicIP> or <MAC> it meas that in the original file\page there is actualy the info there i just don't want to share them _________________ Today, is allways a Good day!
________________________________
Atheros: tp-link wr940N - Gateway \ DNSMasq \ AP
I agree with Per Yngve Berg. the bridge is where the traffic is coming from and not ath0 (yes a little confusing) but that is why the rules are not working. But that is how bridging works.
Basically with this I am saying that all incoming traffic on br0 to those ports is blocked, unless it is coming from the 192.168.2.2 IP ( my main computer with this same static IP ).
Using the code above i am in a situation were everything is working fine and as I pretended.
This said if I were in a situation were I wanted to still retain access to those ports using any computer on the br0, I would have instead did it passing the wifi network to a new bridge (br2).
Tankh You again for all of your help _________________ Today, is allways a Good day!
________________________________
Atheros: tp-link wr940N - Gateway \ DNSMasq \ AP