iptables with ethernet ?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
nickj
DD-WRT Novice


Joined: 06 May 2015
Posts: 13

PostPosted: Wed May 06, 2015 5:25    Post subject: iptables with ethernet ? Reply with quote
Hi all,

I have a DD-WRT router in a home LAN, with both Ethernet and WiFi connecting to it.

When I issue an iptables command to block connections to a specific IP address, it seems to work for the WiFi clients, but not for ethernet clients.

For example, I have a laptop on 192.168.0.26, and a desktop on 192.168.0.2, and initially both can "ping 216.223.155.120" successfully.

Then on the DD-WRT router I issue these two commands :

iptables -I FORWARD --source 192.168.0.26 --destination 216.223.155.120 -j REJECT
iptables -I FORWARD --source 192.168.0.2 --destination 216.223.155.120 -j REJECT

After doing that, the laptop can no longer ping successfully (as expected), but the desktop still can (which is not as expected).

Why do the commands seem to have no effect on the desktop? And how can I make the commands work for the desktop?

Network diagram is as follows:

Code:

 [desktop on  ]    [laptop on   ]
 [192.168.0.2 ]    [192.168.0.26]
          |            |
 Ethernet |            | WiFi
          |            |
     [ DD-wrt on 192.168.0.3 ]
               |
               | Ethernet
               |
      [ modem on 192.168.0.1 ]               
               |
               | ADSL
               |
         [ Internet ]
               |
               |
               |
  [ testx.com on 216.223.155.120 ]


Versions: DD-WRT version is 26653 (very recent beta), and the router is a D-link DIR-632.

-- All the best,
Nick.
Sponsor
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Wed May 06, 2015 6:32    Post subject: Reply with quote
Try to add interface eg. br0

Code:
iptables -t filter -I FORWARD -i br0 -s 192.168.0.2/32 -d 216.223.155.120/32 -j REJECT --reject-with tcp-reset
nickj
DD-WRT Novice


Joined: 06 May 2015
Posts: 13

PostPosted: Wed May 06, 2015 9:56    Post subject: Reply with quote
Mile-Lile wrote:
Try to add interface eg. br0


I didn't have any luck - tried with br0, ath0, eth0 and eth1 interfaces - but in all cases I could still connect to that ip address - e.g. "telnet 216.223.155.120 80" on the desktop would still connect and return output from the web server. But thank you for the suggestion.
nickj
DD-WRT Novice


Joined: 06 May 2015
Posts: 13

PostPosted: Thu May 07, 2015 2:48    Post subject: Reply with quote
I've just updated to this beta from yesterday: "Release: 05/06/15 (SVN revision: 26839)", but the problem persists unfortunately (i.e. from the desktop can still successfully ping and telnet on port 80 to the internet address).

It feels almost like Ethernet is using a hardware-only switch so iptables commands do nothing, whereas for WiFi clients it has a software layer too so the iptables commands do something.
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Thu May 07, 2015 6:55    Post subject: Reply with quote
You are right. Then, you should probably use ebtables bacause they work on layer 2 level...
see this http://www.dd-wrt.com/phpBB2/viewtopic.php?t=5422&sid=70dfa25dc385ecaccefc6bcd946b45df
it may help...
nickj
DD-WRT Novice


Joined: 06 May 2015
Posts: 13

PostPosted: Thu May 07, 2015 7:23    Post subject: Reply with quote
Mile-Lile wrote:
You are right. Then, you should probably use ebtables bacause they work on layer 2 level...


Sounds good, and thank you for the pointer! So I did the following:

Code:

insmod ebtables
insmod ebtable_filter
insmod ebt_ip
lsmod
ebtables -I FORWARD -p IPv4 --ip-source 192.168.0.2/32 --ip-destination 216.223.155.120/32 -j DROP


... and now from the desktop I can no longer ping or telnet port 80 to that internet address. Yet it works great from the DD-wrt unit, as expected.
Yay! Success! Thank you!
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sat May 16, 2015 13:09    Post subject: Reply with quote
Traffic LAN->WAN will be routed and iptables should work.
An explanation can be that "--source 192.168.0.2" does not work because the source address is already changed by NAT.
nickj
DD-WRT Novice


Joined: 06 May 2015
Posts: 13

PostPosted: Mon May 18, 2015 0:45    Post subject: Reply with quote
As far as I'm aware, NAT is not enabled, and it's LAN -> WAN traffic, but the iptables command seems to have no effect.

The reason I say that NAT is not enabled is that according to this page: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=78029 , NAT can be turned off by going to the WebGUI and then "Setup > Advanced Routing change the Operating Mode from Gateway to Router". And that is how it is set (i.e. already in Router operating mode).

I'm sure the modem is doing NAT, but the DD-WRT sits just before the modem, and the modem is the LAN's gateway. So to get to that Internet IP address, any traffic from the desktop goes directly to the DD-WRT unit (via ethernet), then directly to the modem (also via ethernet), then it leaves the LAN via ADSL, and goes off into the Internet.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Mon May 18, 2015 4:45    Post subject: Reply with quote
What is the WAN address of the dd-wrt Router?
I presume it's connected with it's WAN port to the Modem.
nickj
DD-WRT Novice


Joined: 06 May 2015
Posts: 13

PostPosted: Mon May 18, 2015 5:20    Post subject: Reply with quote
No, under the webgui -> Setup -> Basic setup -> "Assign WAN Port to Switch" is ticked.

My understanding then was that the dd-wrt unit only has a LAN address, with anything for the WAN going via the gateway, i.e. the modem.

So the IP addresses and physical ethernet connections are as follows:
Desktop is on 192.168.0.2 <--> dd-wrt router is on 192.168.0.3 <--> modem is on 192.168.0.1

If it helps, the interfaces and routes on the dd-wrt router are as follows:

Code:
root@DD-WRT:~# ifconfig
ath0      Link encap:Ethernet  HWaddr B8:A3:86:4E:71:DC 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2858250 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4161427 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:262922403 (250.7 MiB)  TX bytes:951549304 (907.4 MiB)

br0       Link encap:Ethernet  HWaddr B8:A3:86:4E:71:DC 
          inet addr:192.168.0.3  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1171857 errors:0 dropped:4123 overruns:0 frame:0
          TX packets:5956194 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:88939387 (84.8 MiB)  TX bytes:8831940227 (8.2 GiB)

br0:0     Link encap:Ethernet  HWaddr B8:A3:86:4E:71:DC 
          inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr B8:A3:86:4E:71:DC 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5069340 errors:0 dropped:12 overruns:0 frame:0
          TX packets:8687013 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:867870852 (827.6 MiB)  TX bytes:517920911 (493.9 MiB)

eth1      Link encap:Ethernet  HWaddr B8:A3:86:4E:71:DD 
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:90242 errors:0 dropped:0 overruns:0 frame:0
          TX packets:81716 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:95189031 (90.7 MiB)  TX bytes:12560574 (11.9 MiB)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:238 errors:0 dropped:0 overruns:0 frame:0
          TX packets:238 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:97251 (94.9 KiB)  TX bytes:97251 (94.9 KiB)

root@DD-WRT:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Mon May 18, 2015 17:06    Post subject: Reply with quote
In that configuration, it's the Modem that are doing the routing. You have to put the iptables filter on the Modem.
nickj
DD-WRT Novice


Joined: 06 May 2015
Posts: 13

PostPosted: Wed May 20, 2015 4:16    Post subject: Reply with quote
Ah, okay, thank you. My modem isn't modern enough or smart enough to allow proper iptables, or even a command prompt. Hence why I'm trying to put any function that requires smarts into the dd-wrt unit and have the modem just provide an ethernet connection to the Internet.

So it sounds like dd-wrt can do iptables rules for direct WiFi connections, or for ethernet packets that are exiting or entering a network via that dd-wrt unit, but it can't do iptables on ethernet packets travelling through it acting as a LAN switch.

What I'm hoping is that in the future nftables, which is supposed to unify ebtables and iptables and others, will be added in dd-wrt, and will be able to know whether to use ebtables or iptables in this situation (it certainly wasn't obvious beforehand to me), and will automatically do the right thing. That would make life simpler, I think, and fingers-crossed that happens in the years ahead.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Wed May 20, 2015 4:32    Post subject: Reply with quote
Set your modem in Bridge Mode, so the public ip will be in your dd-wrt's wan port.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum