Menu
What's new
By:
Filters Better Search

how to add/remove rules in filter_rules

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

S

swede

New Around Here
I want to block a ip from accessing wan, only lan

I used from GUI: Firewall => Network services filter

I added two rules( as seen in /tmp/filter_rules) that work

-A FORWARD -i br0 -o eth0 -p udp -s 192.168.1.99 -j DROP
-A FORWARD -i br0 -o eth0 -p tcp -s 192.168.1.99 -j DROP

However I want to be able to somewhat easy turn these on and off.
My thinking was to run a script via ssh to do this.


I guess those lines above with "iptables" in front of them are what adds
the restriction for that ip.

resulting in iptables -L these two lines

DROP udp -- tv1dd1ac16b520 anywhere
DROP tcp -- tv1dd1ac16b520 anywhere

1.
My question is could I add the rules directly with the hostname tv1dd1ac16b520
instead of ip-address so I don't have to make that adress static?

Do I have to insert at a certain line number for it to work?

How would such a command look?


2.
What is the command to remove these two rules again

*edit*

I could possibly use
iptables -L FORWARD -n --line-numbers | grep 192.168.1.99 | cut -d' ' -f1

to get the linenumbers to delete with

iptables -D FORWARD #linenumber

Here I have to use ip to and not hostname? could this be changed?
Could I delete in another easier way?

3.
Do I have to save/commit updates to iptable with iptable-save?


4.
Maybe I could manipulate the file /tmp/filter_rules instead and then save/commit that somehow


Any help would be most welcome
 
Last edited:
iptables only works with static addresses. You can specify a host name if you want but all it does is translate it to an IP address. It's the same with "iptables -L", it takes the IP addresses and shows you the host names currently associated with them. It is best to just use IP addresses (and iptables -L -n -v)

You don't have to do anything as complicated as you are suggesting. Just use the following commands;

To insert (I) the rules:
iptables -I FORWARD -i br0 -o eth0 -p udp -s 192.168.1.99 -j DROP
iptables -I FORWARD -i br0 -o eth0 -p tcp -s 192.168.1.99 -j DROP

To delete (D) the rules:
iptables -D FORWARD -i br0 -o eth0 -p udp -s 192.168.1.99 -j DROP
iptables -D FORWARD -i br0 -o eth0 -p tcp -s 192.168.1.99 -j DROP
 
Thanks @ColinTaylor that seems to work like a charm.

three questions

1.
For TCP there are several categories. SYN, ACK, FIN, RST, URG, PSH

Should I DROP all of them?

The ALL target seems not to work?

2.
I don't really understand the difference between iptables -I and -A i.e Insert and Append
You seem to think it is better with insert. What is the logic behind that decision?


3.
Is ssh login availible on guestnetworks?


EPILOG.
For reference here comes my script
note the use of getent to look up ip-number of hostname as to avoid static ip on router.
(Couldn't use arp since was not always present in arp cache)

#!/bin/bash

#IPADDRESS_TV=$(arp -a | grep tv1dd1ac16b520 | cut -d' ' -f2 | sed 's/[()]//g')
IPADDRESS_TV=$( getent hosts tv1dd1ac16b520 | cut -d' ' -f1)

echo "$IPADDRESS_TV"

ssh admin@router.asus.com <<-ENDSSH
#commands to run on remote host
if iptables -L FORWARD -n --line-numbers | grep -q "$IPADDRESS_TV"; then
# To delete (D) the rules:
iptables -D FORWARD -i br0 -o eth0 -p udp -s "$IPADDRESS_TV" -j DROP
iptables -D FORWARD -i br0 -o eth0 -p tcp -s "$IPADDRESS_TV" -j DROP
else
# To insert (I) the rules:
iptables -I FORWARD -i br0 -o eth0 -p udp -s "$IPADDRESS_TV" -j DROP
iptables -I FORWARD -i br0 -o eth0 -p tcp -s "$IPADDRESS_TV" -j DROP
fi
ENDSSH
 
Last edited:
1) No, don't use "TCP ALL", just "TCP".

2) The order of the rules is very important.

The file "/tmp/filter_rules" is used when the rules are initially created. Because they are (A)ppended, they appear in the chain in this order. You want to modify the currently running rules. Any rules you (A)ppend will appear at the end on the chain. There are some existing rules in the forward chain that might interfere with what you are doing (e.g. -A FORWARD -i br0 -j ACCEPT). By (I)nserting your rules at the beginning of the chain you are ensuring that your rules have precedence.

3) I don't see why not.
 
Last edited:
You must log in or register to reply here.

Similar threads

R
Script to detect backup wan and disable certain devices from internet access
Replies
0
Views
403
RandomUser777
R
P
Subnetting LAN isolation
Replies
2
Views
410
Pixwert
P
GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
225
GShlomi
GShlomi
PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
1
Views
558
PaulA
PaulA
H
Port Forwarding Over WireGuard Connection?
2
Replies
22
Views
2K
houmi
houmi
Similar threads
Thread starter Title Forum Replies Date
S Route add via SSH - persistent-how? Asuswrt-Merlin 4
M [🙏 Feature request For Asus Merlin] Add Public WiFi Mode for GT-AX11000 Asuswrt-Merlin 7
TanyaC cannot add domain to router URL filter Asuswrt-Merlin 15
L Setting up 2 mac addresses to same IP in dnsmasq.conf.add Asuswrt-Merlin 6
CaptnDanLKW Simple Route Add Command Asuswrt-Merlin 9
L Openvpn internal error add route Asuswrt-Merlin 0
P Updating dnsmasq.conf.add does nothing Asuswrt-Merlin 6
P Catch all IPs from certain port and add them to ipset list? Asuswrt-Merlin 18
M Can't Add aiMesh Node to RT-AC68P running Merlin 386.7_2 Asuswrt-Merlin 11
Robert Tickle Why Can't I Add a 3rd AiMesh Node Asuswrt-Merlin 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 578 (members: 25, guests: 553)
Top