Posted: Sun Jan 02, 2022 18:31 Post subject: Iptables not appearing to work...
I host twelve game servers behind a router using DD-WRT for the OS. When a player becomes disruptive (normally somebody new who popped on, not a regular player) I kick and/or ban in-game, but to prevent wasted traffic, I also do something like the following via SSH in the router.
In older versions of DD-WRT this worked. However, now it does not. I can see the rule at the top of the list but the player can rejoin, still on the exact same address. I ahve tried /32 as well, but no change. It's like iptables is ignoring the rule. What gives?
Router: Netgear XR500
DD Version: v3.0 r47528
Router is solid beyond this bug. I upgraded from a much older version, doing a factory reset both before the upgrade and after, then configured it. OpenVPN works, DNS works, everything, except iptables rules entered from SSH. _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
I don't see anything obviously wrong w/ the rule (although technically it should be 1.2.3.0/24, but iptables will accept 1.2.3.4/24 too and convert it). If the rule is listed in iptables, then it will work, and should show a hit count if triggered. But I have no way of knowing if the public IP and/or ports you've specified are correct.
Sorry for the delayed replies. I just got home from work. Here are my responses in reverse order.
Egc, the SFE is enabled and it was enabled from the moment I installed DD-WRT. I do not know what this is and have not bothered it. I do not see this on any other routing hardware such as Ubiquiti or Watchguard.
Eibgrad, I do use the correct network denotation when I do the rule, I was just typing something here as an example. The address is correct as I literally copy/paste it. Oh, and this worked in the old V2 firmware I ran prior. And yes, the router is a router, not a bridge/AP/etc. My cable modem goes to WAN, I have not configured VLANs so all four ports are one big switch, and two of those go to a Synology DS1019+ NAS. The others go to switches at opposite ends of my home.
Wildlion, I am hesitant to post the rules as they expose my internal LAN info and addresses of those banned. While a player may be a pile of crap in-game I do respect their privacy. If it becomes necessary to publish the rules, I will do so after editing the private stuff out.
When I type the rule into the SSH connection and do "iptables -L" I do indeed see the rule. That is why it bothers me that it does not work. _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
The few things I can think of to check to see if a iptables rule of RELATED or ESTABLISHED is kicking in first... or if something higher up is triggering/changing... like in the pre-NAT area
FYI SFE stands for short cut forwarding engine and it is a way to accelerate the packets going through the system... so the reason we were asking is to see if SFE is picking up the packets and therefore accelerating the system/bypassing firewall rules (SFE affects QOS)
I do not know if you are able to test but that would be my suggestions
I already figured it out. You had some great ideas, Wildlion, but it was the SFE. I researched it. Upon disabling it my up speed stayed the same and I lost about 50Mbps down, but now the iptables rules work. This scares me because it may mean a way in for hackers. Granted, I am a home user and my systems and NAS devices hold only games and pictures dating back to the 90's. No bank info, nothing special. I do, however, have a few of these in the wild where security may be more important and now I may need to disable this feature at the cost of speed to ensure security. _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Oh, so I can leave SFE enabled so long as I restart that service after manual changes? I'll give it a try. Thanks, egc. _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
OK, this did not work. I enabled the SFE, rebooted the router, and then logged into an SSH terminal. I entered the rule and verified it was first on the list. Then I entered "stopservice sfe" followed by "startservice sfe". No go. Tested with a helper at a remote location and I could not block their connection while SFE was on.
Odd, but remember, I am blocking UDP. I have an XR500, very similar to yours unless I am mistaken. Does yours properly block UDP? That might be key.
For reference, we tested by having one of my players connect to one of our servers. I then implemented the rule, specifying UDP and the server port, and he dropped after a minute. I enabled SFE, he connected again, and I added the rule. No drop. I did the service stop and start. He stayed connected for an additional 15-20min, so it was not working. As soon as I disabled SFE, iptables worked again. _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
I will check this and report back the next time I can take down the router. Thanks again for your help, egc. _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!