Alozaros DD-WRT Guru
Joined: 16 Nov 2015 Posts: 6407 Location: UK, London, just across the river..
|
Posted: Sat May 29, 2021 21:16 Post subject: |
|
at first place, he will screw it on layer 7, probably...browser _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913 |
|
OpenSource Ghost DD-WRT User
Joined: 14 Feb 2022 Posts: 50
|
Posted: Fri Apr 22, 2022 21:09 Post subject: |
|
Alozaros wrote: | SurprisedItWorks wrote: | Alozaros wrote: | iptables -I INPUT -j DROP
iptables -A INPUT -p tcp -j ACCEPT
iptables -A INPUT -p udp -j ACCEPT
|
Not sure it's quite that simple. First of all, the INPUT chain is specific to traffic inbound for the router itself. For traffic between client devices and the internet, you need the FORWARD chain.
Also the above rules put the tcp/udp rules after the DROP rule, where they have no effect. And every packet destined for the router (like DNS queries, ssh connections, etc.) will be dropped. If you also do a version of this on the FORWARD chain, you'll be killing all traffic to/from the internet and between client devices.
Or maybe I'm caffeine deprived. Have I misread something? |
nope you are not caffeine deprived...i was ... it was a simple rushy answer from my side..
in regards to drop rules my mistake, it should ve be reject
iptables -I INPUT -j REJECT
iptables -A INPUT -p tcp -j ACCEPT
iptables -A INPUT -p udp -j ACCEPT
i ve similar to those running..
iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT
iptables -A INPUT -i br0 -p tcp --dport 80 -m mac --mac-source xx.xx.xx.xx.xx.xx -j ACCEPT
and yes cutting all traffic on INPUT chain will cause troubles unless you know what you are doing...
good to share the main goal... |
So in this case DROP rule would drop packet completely every time without trying to match packet to rules below the DROP rule, while REJECT rule would reject packet, but try to match packet to rules below the REJECT rule?
Does syntax below look correct for rejecting non-TCP and non-UDP packets (in general) when policy is set to ACCEPT:
iptables -A FORWARD -i <interface> ! -p 6 -j REJECT
iptables -A FORWARD -o <interface> ! -p 6 -j REJECT
iptables -A FORWARD -i <interface> ! -p 17 -j REJECT
iptables -A FORWARD -o <interface> ! -p 17 -j REJECT
?
REJECT tends to send "port unreachable" reply. Is there some way to disable that? In SysCTL maybe? |
|
Per Yngve Berg DD-WRT Guru
Joined: 13 Aug 2013 Posts: 6856 Location: Romerike, Norway
|
Posted: Sat Apr 23, 2022 8:57 Post subject: |
|
Drop just drops the packets, but reject sends a message back to the sender that the connection is not allowed.
When you insert rules, they must be inserted in the opposite direction to what they shall be.
iptables -I INPUT -j DROP
iptables -I INPUT -p tcp -j ACCEPT
iptables -I INPUT -p udp -j ACCEPT
Note that all 3 lines have the -I |
|