IPTables For Specific Mac Addresses

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
AfroBro87
DD-WRT Novice


Joined: 16 Jun 2021
Posts: 8

PostPosted: Wed Jun 16, 2021 3:49    Post subject: IPTables For Specific Mac Addresses Reply with quote
I am having a bit of an issue configuring my router for specific devices. I have installed DD-WRT on my NetGear R7000 router with firmware version 3.0-r46854. Currently, in my administrative tab, under commands, I have the current setup:

iptables -t nat -I PREROUTING -i br0 -s 192.XXX.X.X/24 -p udp --dport 53 -j DNAT --to 185.228.168.10
iptables -t nat -I PREROUTING -i br0 -s 192.XXX.X.X/24 -p tcp --dport 53 -j DNAT --to 185.228.169.11

iptables -I FORWARD 1 -p tcp -m multiport --dports 21,80,443 -j ACCEPT
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -j DROP

The first two rules are prerouting through the cleanbrowsing DNS servers as a means to force safe search on all major search engines, as well as filter pornographic material.

The second set of rules has been put into place to block all traffic except HTTP, HTTPS and FTP as the DD-WRT iptable guide instructs. This has proven very beneficial is blocking VPN access on android apps, such as turbo vpn, hotspot shield etc. It helps prevent the apps from circumventing the safe search dns from cleanbrowsing.

However, I have noticed that (as a result of blocking all but HTTP, HTTPS and FTP) some sites load slower, speed tests result in about 300MBPS slower than normal (normally about 700MBPS), my DVR security cameras cannot be accessed, as well as my windows mail application does not load emails.

I am wondering if there is a way to ease up on these particular iptable settings, while maintaining the security, but for specific MAC addresses, specifically, MY MAC address devices so that not everyone who uses the network is subject to the safeguards I have placed for me? Or perhaps a means to exclude certain mac address and or sites from these rules?

A side note, I do not know if this is relevant or an issue, but I also have DDNS connected to OpenDNS via Setup -- DDNS, and under ddns service I have custom with the appropriate settings in place. Thank you so much all, for any and all help.

AfroBro87
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Wed Jun 16, 2021 6:01    Post subject: Reply with quote
if you turn Forced DNS option in GUI and put those x2 DNS in the DNS boxes it will not allow any other DNS to resolve anything else..
you can harden it with those commands in advanced DNS rules

no-resolv
server=185.228.168.10
server=185.228.168.11


iptables -I FORWARD 1 -p tcp -m multiport --dports 21,80,443 -j ACCEPT
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -j DROP

first rule is not needed as it will open the door to anyone to use those ports...and this can compromise your security...

may be this rule you meant
iptables -I FORWARD 1 ! -p tcp -m multiport --dports 21,80,443 -j DROP

! - means it will drop all others, but not 21,80,443

second rule

iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT

is usually in the IPT by default, so only those related established connections will be accepted and this is the general purpose of the SPI firewall..

third rule will drop all the connections.
usually in this order as you number it 3, it will come at last and will cut off everything, so those 2 above are not valid...king of..

if you decide to take the numbers away, so the rules are pasted in the same order...as because of -I (insert), rules will be executed in the opposite way, so the last rule comes first and they make more sense...

so, its more likely those rules to be like that

iptables -I FORWARD 1 -j DROP
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD 3 -p tcp -m multiport --dports 21,80,443 -j ACCEPT

at the end if your SPI firewall is turned on,
it will do the first and the second rule by default...

Than again, when it comes to VPN use and those that know how to use either VPN or TOR, those rules will not help, as connection will go another way and go around the IPT..and there all those above go to the toilet...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
AfroBro87
DD-WRT Novice


Joined: 16 Jun 2021
Posts: 8

PostPosted: Wed Jun 16, 2021 6:35    Post subject: Reply with quote
Alozaros wrote:
if you turn Forced DNS option in GUI and put those x2 DNS in the DNS boxes it will not allow any other DNS to resolve anything else..
you can harden it with those commands in advanced DNS rules

no-resolv
server=185.228.168.10
server=185.228.168.11


iptables -I FORWARD 1 -p tcp -m multiport --dports 21,80,443 -j ACCEPT
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -j DROP

first rule is not needed as it will open the door to anyone to use those ports...and this can compromise your security...

may be this rule you meant
iptables -I FORWARD 1 ! -p tcp -m multiport --dports 21,80,443 -j DROP

! - means it will drop all others, but not 21,80,443

second rule

iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT

is usually in the IPT by default, so only those related established connections will be accepted and this is the general purpose of the SPI firewall..

third rule will drop all the connections.
usually in this order as you number it 3, it will come at last and will cut off everything, so those 2 above are not valid...king of..

if you decide to take the numbers away, so the rules are pasted in the same order...as because of -I (insert), rules will be executed in the opposite way, so the last rule comes first and they make more sense...

so, its more likely those rules to be like that

iptables -I FORWARD 1 -j DROP
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD 3 -p tcp -m multiport --dports 21,80,443 -j ACCEPT

at the end if your SPI firewall is turned on,
it will do the first and the second rule by default...

Than again, when it comes to VPN use and those that know how to use either VPN or TOR, those rules will not help, as connection will go another way and go around the IPT..and there all those above go to the toilet...


Please forgive my ignorance, I am brand new to much of this. I guess what I am asking for is the correct iptable/command to put into the firewall? I know a more qualified or sophisticated individual can get around it, however, for basic needs, like blocking simple, free android VPN apps is primarily what I need it for. I tried pasting it in the order you posted but I could not reconnect to the internet as a result

in the DNS 1 and 2 field I have the cleanbrowsing servers, as well as the command you pasted in the DNSmasq field.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Wed Jun 16, 2021 7:33    Post subject: Reply with quote
so, if you already added those in dns section they are fine, as well you use the forced DNS

no-resolv
server=185.228.168.10
server=185.228.168.11

with those above all your devices will use the specified DNS and nothing else...do in mind devices with baked in/forced DNS may not work as intended...

connection to your cam's is not working because of those 3 rules in your firewall

Than you dont need those 3 rules in the firewall script, but I rather use

iptables -I FORWARD ! -p tcp -m multiport --dports 21,80,443 -j DROP

Of course this will cause a various troubles as, some other services/apps use another ports tcp, as well udp...and there you get to your own net/web...in general to circumvent that VPN, it will be almost impossible...
May be if you know that VPN IP range, than you can block the IP range and ports with iptables rules...so, they will not be able to establish connection and communicate..but than again those rules may interfere with something else...

as i said, those work on different layers of communication and it will be tough to mitigate with an easy rules...it requires more details and diggin...and understanding, lets hope someone else will help here, as im going away today... Smile

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Wed Jun 16, 2021 8:53    Post subject: Reply with quote
As @Alozoros said the firewall does its job, no need to put in extra firewall rules unless you know what you are doing, the rule you added opens the firewall!!.

About DNS put the DNS servers in Static DNS 1 and 2, tick/enable Ignore WAN DNS (on setup page) and tick Enable Forced DNS Redirection and you should be good.

If you also want to block/redirect DoT and DoH see the IPSET documentation (sticky in Advanced Forum)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Wed Jun 16, 2021 14:34    Post subject: Reply with quote
yep ipset will do the trick, if your router support those…as egc said read the manual Laughing
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
AfroBro87
DD-WRT Novice


Joined: 16 Jun 2021
Posts: 8

PostPosted: Wed Jun 16, 2021 21:55    Post subject: IPTables For Specific Mac Addresses Reply with quote
Thank you both for all of your help and input. Like I said I am brand new to all of this so I am just trying to pick it up as I go, but I truly appreciate all your hard work and expertise!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum