iptables iprange challenges

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
mb_ApsFhP5ikFr2F
DD-WRT Novice


Joined: 11 Oct 2018
Posts: 5

PostPosted: Tue Jan 29, 2019 14:21    Post subject: iptables iprange challenges Reply with quote
Hello there,

I'm experimenting with some advanced setup that would include specific iptables rules that allow a specific source ip range to access a specific target ip range in a multiport setup.

That may sound difficult to read, so here's an example:
Code:
iptables -I test -m iprange --src-range 192.168.5.2-192.168.5.10 -p udp -m multiport --dports 67:68 -m iprange --dst-range 192.168.3.4-192.168.3.8 -j ACCEPT


This is seemingly accepted, but when running an iptables -L test I see no entries:
Code:
# iptables -L test
Chain test (0 references)
target     prot opt source               destination


Using the binary package from entware (/opt/sbin/iptables in my setup) to add & review these looks like working just fine.

Built-in iptables shows:
Code:
iptables -L test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            destination IP range 0.0.0.0-0.0.0.0 udp dpt:dns


Entware iptables shows:

Code:
/opt/sbin/iptables -L test
Chain test (0 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             source IP range 192.168.5.2-192.168.5.10 multiport dports bootps:bootpc destination IP range 192.168.3.4-192.168.3.8


In that sense, my question would be: is it safe to ditch the built-in iptables bin and rely/depend on the one from entware?

This is Kong's build on an ASUS RT-AC88U: Linux blah 4.4.159 #3933 SMP Thu Oct 4 07:42:02 CEST 2018 armv7l DD-WRT

Thanks,
mb
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2804
Location: UK, London, just across the river..

PostPosted: Tue Jan 29, 2019 15:45    Post subject: Reply with quote
sadly DDWRT build in iptables are stripped and some variables/commands are missing, for example i do not have multiport running on all my routers...
if you can get full version trough Entware stick to it...

do notice next time when you ask questions tell us about router model and current build running, as guessing it could be too hard for those that want to help you...

_________________
Atheros
TP-Link WR740Nv1 ------DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 -----DD-WRT 41027 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 -----DD-WRT 40890 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 -----Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ---------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,Firewall,Local DNS,Forced DNS,DNSCrypt v2 x2)
Broadcom
Netgear R7000 ---------DD-WRT 40270M Kong (AP,NAT,VLAN,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
------------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3772
Location: Netherlands

PostPosted: Tue Jan 29, 2019 15:56    Post subject: Reply with quote
I am using it:

Code:
opkg install ip-full


see: https://pkg.entware.net/binaries/armv7/Packages.html

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1136
Location: Indiana

PostPosted: Tue Jan 29, 2019 17:16    Post subject: Re: iptables iprange challenges Reply with quote
mb_ApsFhP5ikFr2F wrote:

This is Kong's build on an ASUS RT-AC88U: Linux blah 4.4.159 #3933 SMP Thu Oct 4 07:42:02 CEST 2018 armv7l DD-WRT

Thanks,
mb


<Kong> has his own repository.
http://www.desipro.de/ddwrt/Readme.txt
I would switch to it if I knew how to find what I already have installed in my current entware. I guess I would find out when it wasn't there Rolling Eyes
It is my belief that I need to uninstall entware to switch to <Kong>

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--Stubby DoT
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta- R7500V2 kongat WDS STA- WNDR3700v4 BS std WDS STA- Nanostation M2 AirOS- LocoM2 AirOS
Broadcom:
R6200v2 kongac WLAN Repeater Archer C9 v1 OEM WAP
mb_ApsFhP5ikFr2F
DD-WRT Novice


Joined: 11 Oct 2018
Posts: 5

PostPosted: Tue Jan 29, 2019 17:33    Post subject: Reply with quote
I feel ya Wink After my second attempt I ended up documenting and using a git repo to keep track of my own shit 🤣
mb_ApsFhP5ikFr2F
DD-WRT Novice


Joined: 11 Oct 2018
Posts: 5

PostPosted: Tue Jan 29, 2019 17:38    Post subject: Reply with quote
egc wrote:
I am using it:
Code:
opkg install ip-full

see: https://pkg.entware.net/binaries/armv7/Packages.html


Cool!
How do firmware updates work out for you?

Frankly I don’t anticipate any madness given iptables is kind of like a client app for the kernel magic - feels weird to say that out “loud”, but here goes Smile

Thanks,
mb
mb_ApsFhP5ikFr2F
DD-WRT Novice


Joined: 11 Oct 2018
Posts: 5

PostPosted: Tue Jan 29, 2019 17:41    Post subject: Reply with quote
Alozaros wrote:
do notice next time when you ask questions tell us about router model and current build running, as guessing it could be too hard for those that want to help you...


I’ve had a weak attempt at that:
Quote:
This is Kong's build on an ASUS RT-AC88U: Linux blah 4.4.159 #3933 SMP Thu Oct 4 07:42:02 CEST 2018 armv7l DD-WRT


I should’ve made it stand out more, sry!

mb
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum