[SOLVED] iptables Doesn't Appear to Work

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
DaveKenroy
DD-WRT Novice


Joined: 04 Jul 2017
Posts: 11

PostPosted: Tue Jul 04, 2017 3:56    Post subject: [SOLVED] iptables Doesn't Appear to Work Reply with quote
Hello,

I'm fairly new to firewalls in general, but I've done a fair bit of researching in rules. I'm trying to block anything using ports 6783-6785 (Splashtop) going anywhere on my router. I have tried all of the following

Code:
iptables -I FORWARD 1 -p tcp --dport 6783:6785 -j DROP
iptables -I INPUT 1 -p tcp --dport 6783:6785 -j DROP
iptables -I OUTPUT 1 -p tcp --dport 6783:6785 -j DROP
iptables -I FORWARD 1 -p tcp --sport 6783:6785 -j DROP
iptables -I INPUT 1 -p tcp --sport 6783:6785 -j DROP
iptables -I OUTPUT 1 -p tcp --sport 6783:6785 -j DROP


I have even tested removing all firewall rules and just having the drop rule as number 1 in all chains, but none of them drop the packets. As a further test, I tried to add a rule to block one of my IPs with

Code:
iptables -I FORWARD 1 -d 192.168.1.10 -j DROP
iptables -I FORWARD 1 -s 192.168.1.10 -j DROP


and the IP continues to send and receive packets. Here's my current rules.

Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     4970  503K logaccept  0    --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
2        0     0 logaccept  udp  --  vlan2  any     anywhere             anywhere            udp spt:bootps dpt:bootpc
3        0     0 logdrop    udp  --  vlan2  any     anywhere             anywhere            udp dpt:route
4        0     0 logdrop    udp  --  br0    any     anywhere             anywhere            udp dpt:route
5        0     0 logaccept  udp  --  any    any     anywhere             anywhere            udp dpt:route
6        0     0 logdrop    icmp --  vlan2  any     anywhere             anywhere           
7        0     0 logdrop    igmp --  any    any     anywhere             anywhere           
8        0     0 ACCEPT     0    --  lo     any     anywhere             anywhere            state NEW
9     1109 71402 logaccept  0    --  br0    any     anywhere             anywhere            state NEW
10     262 21252 logdrop    0    --  any    any     anywhere             anywhere           
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpts:6783:6785
2     934K 1039M logaccept  0    --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
3     1491  193K lan2wan    0    --  any    any     anywhere             anywhere           
4        0     0 logaccept  0    --  br0    br0     anywhere             anywhere           
5        0     0 logdrop    tcp  --  any    vlan2   anywhere             anywhere            tcp dpt:1723
6        0     0 logdrop    udp  --  any    vlan2   anywhere             anywhere            udp dpt:1701
7        0     0 logdrop    udp  --  any    vlan2   anywhere             anywhere            udp dpt:500
8        0     0 TRIGGER    0    --  vlan2  br0     anywhere             anywhere            TRIGGER type:in match:0 relate:0
9     1491  193K trigger_out  0    --  br0    any     anywhere             anywhere           
10    1453  191K logaccept  0    --  br0    any     anywhere             anywhere            state NEW
11      38  1964 logdrop    0    --  any    any     anywhere             anywhere           
Chain OUTPUT (policy ACCEPT 7180 packets, 3252K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_1 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_10 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_2 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_3 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_4 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_5 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_6 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_7 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_8 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_9 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain grp_1 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain grp_10 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain grp_2 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain grp_3 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain grp_4 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain grp_5 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain grp_6 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain grp_7 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain grp_8 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain grp_9 (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain lan2wan (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
Chain logaccept (7 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     942K 1040M ACCEPT     0    --  any    any     anywhere             anywhere           
Chain logbrute (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0            0    --  any    any     anywhere             anywhere            recent: SET name: BRUTEFORCE side: source
2        0     0 RETURN     0    --  any    any     anywhere             anywhere            !recent: UPDATE seconds: 60 hit_count: 4 name: BRUTEFORCE side: source
3        0     0 RETURN     0    --  any    any     anywhere             anywhere            limit: avg 1/min burst 1
4        0     0 logdrop    0    --  any    any     anywhere             anywhere           
Chain logdrop (10 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      300 23216 DROP       0    --  any    any     anywhere             anywhere           
Chain logreject (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset
Chain trigger_out (1 references)
num   pkts bytes target     prot opt in     out     source               destination         


Any help would be appreciated.


Last edited by DaveKenroy on Wed Jul 05, 2017 16:29; edited 1 time in total
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4294
Location: UK, London, just across the river..

PostPosted: Tue Jul 04, 2017 7:35    Post subject: Reply with quote
first if you need help you start with router model and build running....

make sure your syntax is correct

i ve never seen blocking rule for multiple ports or range
so i suggest you to be more specific and add one rule per port blocked
DD-WRT uses adapted iptable where some commands are stripped in order to maintain small flash size, of course you can always install full iptables via USB, personally i've never went that far...

here are my rules for comparison, and they do work with this syntax...

iptables -I FORWARD -p tcp --dport 137 -j DROP

also do keep in mind iptables work only WAN to LAN or opposite, they do not restrict LAN to LAN connections

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 46446 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 46446 BS AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 46446 BS AP,NAT,AD/Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 46604 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 46604 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
DaveKenroy
DD-WRT Novice


Joined: 04 Jul 2017
Posts: 11

PostPosted: Tue Jul 04, 2017 18:43    Post subject: Reply with quote
Thanks for the reply. My router is the Asus RT-N66U and the build is 27745.

My ultimate goal was to prevent those ports from accessing the WAN, but being new to this, I couldn't see any results as I was basing the results off of internal connections. I see now that iptables was blocking the ports, but only to/from WAN as you said.

Like I said earlier I was expecting it to filter all packets going through the router. Before I mark as solved, just out of curiosity, will iptables filter if the data packets are going to different vlans, or does iptables simply not filter any internal network no matter the vlan?

Thanks again for your help.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6056
Location: Romerike, Norway

PostPosted: Tue Jul 04, 2017 19:16    Post subject: Reply with quote
Yes, it will filter packets that are routed from one vlan to another.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum