How to block all protocols except TCP and UDP?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Sat May 29, 2021 21:16    Post subject: Reply with quote
at first place, he will screw it on layer 7, probably...browser Laughing Laughing
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Sponsor
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Fri Apr 22, 2022 21:09    Post subject: Reply with quote
Alozaros wrote:
SurprisedItWorks wrote:
Alozaros wrote:
iptables -I INPUT -j DROP
iptables -A INPUT -p tcp -j ACCEPT
iptables -A INPUT -p udp -j ACCEPT

Not sure it's quite that simple. First of all, the INPUT chain is specific to traffic inbound for the router itself. For traffic between client devices and the internet, you need the FORWARD chain.

Also the above rules put the tcp/udp rules after the DROP rule, where they have no effect. And every packet destined for the router (like DNS queries, ssh connections, etc.) will be dropped. If you also do a version of this on the FORWARD chain, you'll be killing all traffic to/from the internet and between client devices.

Or maybe I'm caffeine deprived. Have I misread something?


nope you are not caffeine deprived...i was ... Smile it was a simple rushy answer from my side..

in regards to drop rules my mistake, it should ve be reject

iptables -I INPUT -j REJECT
iptables -A INPUT -p tcp -j ACCEPT
iptables -A INPUT -p udp -j ACCEPT

i ve similar to those running..
iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT
iptables -A INPUT -i br0 -p tcp --dport 80 -m mac --mac-source xx.xx.xx.xx.xx.xx -j ACCEPT

and yes cutting all traffic on INPUT chain will cause troubles unless you know what you are doing...
good to share the main goal...


So in this case DROP rule would drop packet completely every time without trying to match packet to rules below the DROP rule, while REJECT rule would reject packet, but try to match packet to rules below the REJECT rule?

Does syntax below look correct for rejecting non-TCP and non-UDP packets (in general) when policy is set to ACCEPT:
iptables -A FORWARD -i <interface> ! -p 6 -j REJECT
iptables -A FORWARD -o <interface> ! -p 6 -j REJECT
iptables -A FORWARD -i <interface> ! -p 17 -j REJECT
iptables -A FORWARD -o <interface> ! -p 17 -j REJECT

?

REJECT tends to send "port unreachable" reply. Is there some way to disable that? In SysCTL maybe?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sat Apr 23, 2022 8:57    Post subject: Reply with quote
Drop just drops the packets, but reject sends a message back to the sender that the connection is not allowed.

When you insert rules, they must be inserted in the opposite direction to what they shall be.

iptables -I INPUT -j DROP
iptables -I INPUT -p tcp -j ACCEPT
iptables -I INPUT -p udp -j ACCEPT

Note that all 3 lines have the -I
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum