Access restrictions not working as expected

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
JoeyG1973
DD-WRT Novice


Joined: 12 Jun 2012
Posts: 18

PostPosted: Wed Dec 31, 2014 21:02    Post subject: Access restrictions not working as expected Reply with quote
I have setup an access restriction rule to deny my daughter's access to the Internet based on time of day and the MAC address of her computer. This works fine if she tries to browse the Web or do anything new after the rule has started. What is perplexing is that if she connects to a minecraft server or pesterchum service before the time the deny rule goes into effect, she can stay connected indefinitely as long as she doesn't disconnect. I am not sure why this happens and was hoping someone here could help me figure this out. I am using the latest Kong buold.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Dec 31, 2014 22:31    Post subject: Reply with quote
The problem is due to the way dd-wrt has implemented Access Restrictions. It just happens that the firewall is configured to allow existing connections to bypass these restrictions. To be precise (if it matters to you), when a packet comes through the FORWARD chain of the firewall, the very first rule says to allow all ESTABLISHED connections through. Further down that same chain it finally encounters the rules for Access Restrictions (lan2wan), which of course it too late. That will only happen if the state of the connection is NEW.

I dumped the firewall just so you can see for yourself.

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 47 -- * vlan1 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * vlan1 192.168.1.0/24 0.0.0.0/0tcp dpt:1723
0 0 lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0

This is what I personally don't like about Access Restrictions. How it works is hidden. And it's based on certain assumptions with which you might not agree. It typically won't work w/ anything but the WAN (e.g., setup a VPN and Access Restrictions has no effect either!). That's why sometimes you just have to implement these restrictions yourself. Or perhap "fix-up" the existing rules after the fact (not something I generally recommend). Or perhaps in your case kill all her existing connections at the given hour so you force a NEW connection to be made (not sure that’s possible w/ dd-wrt).
JoeyG1973
DD-WRT Novice


Joined: 12 Jun 2012
Posts: 18

PostPosted: Thu Jan 01, 2015 1:36    Post subject: Reply with quote
So how do I changes the iptables so that access restrictions comes first for ESTABLISHED connections? I have no problems bypassing the gui and editing the iptables conf file. I just don't want to have to go and learn iptables nomenclature. I have been avoiding it for years actually. Smile
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Jan 01, 2015 2:11    Post subject: Reply with quote
The quick and dirty answer would be to place the lan2wan rule before the ESTABLISHED rule. At least looking at my dump of iptables, that would appear to be harmless. But it would be prudent to see YOUR dump of iptables to be sure. You just never know if there might be a difference and we could break something.

iptables -vnL FORWARD

If could literally be as simple as adding the following rules to the firewall script:

iptables -D FORWARD -j lan2wan
iptables -I FORWARD -j lan2wan
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7052
Location: YWG, Canada

PostPosted: Thu Jan 01, 2015 5:38    Post subject: Reply with quote
i think the results of this thread should be posted into a ticket. access restrictions shouldnt work that way, at a worst case scenario, it should become active when the connection tries to renew after maximum alive time is reached
_________________
LATEST FIRMWARE(S) || Qualcomm Atheros Wi-Fi Settings Guide || Qualcomm Atheros Repeating

[X86-64] Haswell i3-4150/4GB ------> Pending
[QUALCOMM] R7800 -----------------> DD-WRT v3.0-r40270M kongat
[QUALCOMM] DIR-862L --------------> DD-WRT v3.0-r41074 std
[QUALCOMM] WNDR4300 v1 --------> DD-WRT v3.0-r41074 std
[QUALCOMM] DIR-862L --------------> DD-WRT v3.0-r41074 std
▲ ACTIVE / INACTIVE ▼
[BROADCOM] DIR-860L A1 ----------> DD-WRT v3.0-r40634 std

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

If you use DSLReports please enable hi-res bufferbloat.


Sigh.. why do i exist anyway..
JoeyG1973
DD-WRT Novice


Joined: 12 Jun 2012
Posts: 18

PostPosted: Fri Jan 02, 2015 1:11    Post subject: Reply with quote
Here is a dump of my FORWARD table.

Code:
root@DD-WRT:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  532 49509 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.40        tcp dpt:25396
2538K 2671M ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.40        udp dpt:25396
    7   371 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.140       tcp dpt:8742
  782 81231 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.140       udp dpt:8742
    7   334 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.118       tcp dpt:14731
  197 33877 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.118       udp dpt:14731
  749  273K ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.149       udp dpt:3074
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.140       tcp dpt:2311
    1    39 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.140       udp dpt:2311
    0     0 ACCEPT     47   --  *      vlan2   192.168.1.0/24       0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      vlan2   192.168.1.0/24       0.0.0.0/0           tcp dpt:1723
  31M   28G ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 473K   43M lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0
 210K   12M TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    5   645 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0
    4   195 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
 443K   41M trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0
 427K   40M ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
16008  797K DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0
JoeyG1973
DD-WRT Novice


Joined: 12 Jun 2012
Posts: 18

PostPosted: Fri Jan 02, 2015 2:07    Post subject: Reply with quote
So I went and put in rules you suggested...

iptables -D FORWARD -j lan2wan
iptables -I FORWARD -j lan2wan

Worked like a charm. Smile


Now all I need to do is figure out how to make it permanent in the nvram. Little help?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri Jan 02, 2015 2:31    Post subject: Reply with quote
Add them to the firewall script (see Administration->Commands, add the rules to the input field, hit Save Firewall).
JoeyG1973
DD-WRT Novice


Joined: 12 Jun 2012
Posts: 18

PostPosted: Fri Jan 02, 2015 16:06    Post subject: Reply with quote
Ok that did it. Now where can I put in a ticket so that this gets fixed for good?
Jarkko
DD-WRT Novice


Joined: 10 Nov 2009
Posts: 15
Location: Rovaniemi, Finland

PostPosted: Fri Jan 09, 2015 7:42    Post subject: Reply with quote
Encountered same problem, for example WoT (son plays it, surprise...) stays connected if connection is established before restrictions are enabled.

Fixed (or at least all restricted range ip's dropped all established connections) and always permitted clients are still able to connect with points given above, thanks. Running WHR-600D with 23392 (Buffalo DD-WRT)).

edit: iptables as of now

Code:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
30440   24M lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     47   --  *      vlan2   192.168.11.0/24      0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      vlan2   192.168.11.0/24      0.0.0.0/0           tcp dpt:1723
28685   24M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  335 16464 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 TRIGGER    0    --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
  349 17304 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
  349 17304 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           
][No_WaY
DD-WRT Novice


Joined: 24 Dec 2012
Posts: 40

PostPosted: Sat Apr 25, 2015 1:49    Post subject: Reply with quote
hello,
I go through this topic
and I have eap3660 with build 1877
and I made 3 ssid and separate it so I want to restrict address on br1 with ip 192.168.2.x
based on ip range and deny access for specific time.
I fallowed your advise but it do not solve the problem.
my firewall iptables:-
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport https -j REJECT --reject-with tcp-reset
iptables -t nat -I PREROUTING -i br1 -s 192.168.2.1/24 -p udp --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -I PREROUTING -i br1 -s 192.168.2.1/24 -p tcp --dport 53 -j DNAT --to 208.67.222.222
iptables -D FORWARD -j lan2wan
iptables -I FORWARD -j lan2wan
insmod xt_mark
insmod xt_mac
insmod imq
insmod ipt_IMQ
tc qdisc del dev br2 root
tc qdisc add dev br2 root handle 1: htb
tc class add dev br2 parent 1: classid 1:1 htb rate 2048kbit
tc qdisc add dev br2 parent 1:1 handle 10: sfq perturb 10
tc filter add dev br2 parent 1:0 prio 5 protocol ip u32 match ip dst 192.168.3.0/24 flowid 1:1
ip link set imq0 up
tc qdisc del dev imq0 root
tc qdisc add dev imq0 root handle 1: htb
tc class add dev imq0 parent 1: classid 1:1 htb rate 512kbit
tc qdisc add dev imq0 parent 1:1 handle 10: sfq perturb 10
tc filter add dev imq0 parent 1:0 prio 5 protocol ip u32 match ip src 192.168.3.0/24 flowid 1:1
iptables -t mangle -I PREROUTING -i br1 -j IMQ --todev 0
ip link set imq0 up

and iptables -vnL :-
Chain INPUT (policy ACCEPT 42637 packets, 2827K bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 reject-with tcp-reset
0 0 REJECT tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 reject-with tcp-reset
0 0 REJECT tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with tcp-reset
0 0 REJECT tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with tcp-reset
0 0 REJECT tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with tcp-reset
0 0 REJECT tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with tcp-reset
0 0 REJECT tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 reject-with tcp-reset
0 0 REJECT tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 reject-with tcp-reset
Chain FORWARD (policy ACCEPT 15722 packets, 6752K bytes)
pkts bytes target prot opt in out source destination
15722 6752K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP 0 -- br2 * 0.0.0.0/0 192.168.1.0/24 state NEW
0 0 DROP 0 -- br1 * 0.0.0.0/0 192.168.1.0/24 state NEW
Chain OUTPUT (policy ACCEPT 13480 packets, 4202K bytes)
pkts bytes target prot opt in out source destination
Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain lan2wan (1 references)
pkts bytes target prot opt in out source destination
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logbrute (0 references)
pkts bytes target prot opt in out source destination
0 0 0 -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: BRUTEFORCE side: source
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 !recent: UPDATE seconds: 60 hit_count: 4 name: BRUTEFORCE side: source
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 1
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain trigger_out (0 references)
pkts bytes target prot opt in out source destination

so can you help me to fix it?

with greetings
][No_WaY
DD-WRT Novice


Joined: 24 Dec 2012
Posts: 40

PostPosted: Sun May 03, 2015 22:55    Post subject: Reply with quote
any body can help?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum