Posted: Wed Jun 16, 2021 3:49 Post subject: IPTables For Specific Mac Addresses
I am having a bit of an issue configuring my router for specific devices. I have installed DD-WRT on my NetGear R7000 router with firmware version 3.0-r46854. Currently, in my administrative tab, under commands, I have the current setup:
The first two rules are prerouting through the cleanbrowsing DNS servers as a means to force safe search on all major search engines, as well as filter pornographic material.
The second set of rules has been put into place to block all traffic except HTTP, HTTPS and FTP as the DD-WRT iptable guide instructs. This has proven very beneficial is blocking VPN access on android apps, such as turbo vpn, hotspot shield etc. It helps prevent the apps from circumventing the safe search dns from cleanbrowsing.
However, I have noticed that (as a result of blocking all but HTTP, HTTPS and FTP) some sites load slower, speed tests result in about 300MBPS slower than normal (normally about 700MBPS), my DVR security cameras cannot be accessed, as well as my windows mail application does not load emails.
I am wondering if there is a way to ease up on these particular iptable settings, while maintaining the security, but for specific MAC addresses, specifically, MY MAC address devices so that not everyone who uses the network is subject to the safeguards I have placed for me? Or perhaps a means to exclude certain mac address and or sites from these rules?
A side note, I do not know if this is relevant or an issue, but I also have DDNS connected to OpenDNS via Setup -- DDNS, and under ddns service I have custom with the appropriate settings in place. Thank you so much all, for any and all help.
Joined: 16 Nov 2015 Posts: 6411 Location: UK, London, just across the river..
Posted: Wed Jun 16, 2021 6:01 Post subject:
if you turn Forced DNS option in GUI and put those x2 DNS in the DNS boxes it will not allow any other DNS to resolve anything else..
you can harden it with those commands in advanced DNS rules
first rule is not needed as it will open the door to anyone to use those ports...and this can compromise your security...
may be this rule you meant
iptables -I FORWARD 1 ! -p tcp -m multiport --dports 21,80,443 -j DROP
! - means it will drop all others, but not 21,80,443
second rule
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
is usually in the IPT by default, so only those related established connections will be accepted and this is the general purpose of the SPI firewall..
third rule will drop all the connections.
usually in this order as you number it 3, it will come at last and will cut off everything, so those 2 above are not valid...king of..
if you decide to take the numbers away, so the rules are pasted in the same order...as because of -I (insert), rules will be executed in the opposite way, so the last rule comes first and they make more sense...
so, its more likely those rules to be like that
iptables -I FORWARD 1 -j DROP
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD 3 -p tcp -m multiport --dports 21,80,443 -j ACCEPT
at the end if your SPI firewall is turned on,
it will do the first and the second rule by default...
Than again, when it comes to VPN use and those that know how to use either VPN or TOR, those rules will not help, as connection will go another way and go around the IPT..and there all those above go to the toilet... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
if you turn Forced DNS option in GUI and put those x2 DNS in the DNS boxes it will not allow any other DNS to resolve anything else..
you can harden it with those commands in advanced DNS rules
first rule is not needed as it will open the door to anyone to use those ports...and this can compromise your security...
may be this rule you meant
iptables -I FORWARD 1 ! -p tcp -m multiport --dports 21,80,443 -j DROP
! - means it will drop all others, but not 21,80,443
second rule
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
is usually in the IPT by default, so only those related established connections will be accepted and this is the general purpose of the SPI firewall..
third rule will drop all the connections.
usually in this order as you number it 3, it will come at last and will cut off everything, so those 2 above are not valid...king of..
if you decide to take the numbers away, so the rules are pasted in the same order...as because of -I (insert), rules will be executed in the opposite way, so the last rule comes first and they make more sense...
so, its more likely those rules to be like that
iptables -I FORWARD 1 -j DROP
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD 3 -p tcp -m multiport --dports 21,80,443 -j ACCEPT
at the end if your SPI firewall is turned on,
it will do the first and the second rule by default...
Than again, when it comes to VPN use and those that know how to use either VPN or TOR, those rules will not help, as connection will go another way and go around the IPT..and there all those above go to the toilet...
Please forgive my ignorance, I am brand new to much of this. I guess what I am asking for is the correct iptable/command to put into the firewall? I know a more qualified or sophisticated individual can get around it, however, for basic needs, like blocking simple, free android VPN apps is primarily what I need it for. I tried pasting it in the order you posted but I could not reconnect to the internet as a result
in the DNS 1 and 2 field I have the cleanbrowsing servers, as well as the command you pasted in the DNSmasq field.
with those above all your devices will use the specified DNS and nothing else...do in mind devices with baked in/forced DNS may not work as intended...
connection to your cam's is not working because of those 3 rules in your firewall
Than you dont need those 3 rules in the firewall script, but I rather use
Of course this will cause a various troubles as, some other services/apps use another ports tcp, as well udp...and there you get to your own net/web...in general to circumvent that VPN, it will be almost impossible...
May be if you know that VPN IP range, than you can block the IP range and ports with iptables rules...so, they will not be able to establish connection and communicate..but than again those rules may interfere with something else...
as i said, those work on different layers of communication and it will be tough to mitigate with an easy rules...it requires more details and diggin...and understanding, lets hope someone else will help here, as im going away today... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Wed Jun 16, 2021 8:53 Post subject:
As @Alozoros said the firewall does its job, no need to put in extra firewall rules unless you know what you are doing, the rule you added opens the firewall!!.
About DNS put the DNS servers in Static DNS 1 and 2, tick/enable Ignore WAN DNS (on setup page) and tick Enable Forced DNS Redirection and you should be good.
Posted: Wed Jun 16, 2021 21:55 Post subject: IPTables For Specific Mac Addresses
Thank you both for all of your help and input. Like I said I am brand new to all of this so I am just trying to pick it up as I go, but I truly appreciate all your hard work and expertise!