What's new

IP tables confusion

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

splatee

Occasional Visitor
Hello i am having a bit of a hard time understanding how to use ip tables in RMerlin firmware. I have read through the info and it seems like i have to telnet into the router to run them? I have used DDWRT and it has just built in command line that you can save them to the firewall.

Here is what i am trying to do. I am trying to save the following as a "firewall" rule to block certain youtube servers that are slow.

iptables -I FORWARD -s 173.194.55.0/24 -j REJECT
iptables -I FORWARD -s 206.111.0.0/16 -j REJECT

On DDWRT i would just save those to the firewall rules in the command run window on the firmware. I am not sure how to do this in RMerlin.

Thank you
 
To enhance security, the facility to enter commands via the web gui was removed a while ago. As you say. you need to use telnet or ssh.

Can't help with IP tables, I'm afraid.
 
What is your current skill level with a Linux command line environment? Do you know how to edit files using "vi"?

Depending on your answer different approaches can be taken.
 
If you are a Windows user I would suggested that you 1) enable SSH access to the router, and then b) install WinSCP.

Using WinSCP log onto the router and navigate to the /jffs/scripts directory. Right click in that directory and choose New File. Create a new file called firewall-start with the following lines:
Code:
#!/bin/sh

iptables -I FORWARD -s 173.194.55.0/24 -j REJECT
iptables -I FORWARD -s 206.111.0.0/16 -j REJECT
Save the file and then change its properties to 0755.

Reboot and you're done.
 
If you are a Windows user I would suggested that you 1) enable SSH access to the router, and then b) install WinSCP.

Using WinSCP log onto the router and navigate to the /jffs/scripts directory. Right click in that directory and choose New File. Create a new file called firewall-start with the following lines:
Code:
#!/bin/sh

iptables -I FORWARD -s 173.194.55.0/24 -j REJECT
iptables -I FORWARD -s 206.111.0.0/16 -j REJECT
Save the file and then change its properties to 0755.

Reboot and you're done.

Yes i am using windows. Ok i will go ahead and try that. Thank you
 
If you are a Windows user I would suggested that you 1) enable SSH access to the router, and then b) install WinSCP.

Using WinSCP log onto the router and navigate to the /jffs/scripts directory. Right click in that directory and choose New File. Create a new file called firewall-start with the following lines:
Code:
#!/bin/sh

iptables -I FORWARD -s 173.194.55.0/24 -j REJECT
iptables -I FORWARD -s 206.111.0.0/16 -j REJECT
Save the file and then change its properties to 0755.

Reboot and you're done.

Reject rather than Drop because that's how it was presented in post #1? Or would there be a good reason to prefer Reject over Drop in this application?
 
Reject rather than Drop because that's how it was presented in post #1? Or would there be a good reason to prefer Reject over Drop in this application?
Yes, that's exactly what I thought at first. That it would be better to use DROP, but then I googled those specific IP addresses. It turns out to be something to do with speeding up YouTube videos, not blocking hackers. So perhaps in this case REJECT is the required response.
 
Imagine someone asks you something, and you don't want to do it. You can:

a) not answer, and let the person wait, until she gets tired and leaves.
b) answer immediately "No, I won't do it".

a) is a DROP, b) is a REJECT. First one makes the person stay around, possibly ask you again in case you didn't hear him the first time, but she won't be sure that you are there or not. Second one is an immediate rejection, which means he can immediately go away, or he can stay and keep asking.
 
with firewall enabled nobody have access to my udpxy outside my home network...but i would like add iptables rule in firewall-start script for one client....for example client from ip range 169.0.0.0/16 may access to my udpxy server with destinaton port 1234....what is working rule?

sent from Kodi 17 Krypton
 
Should note that never assume someone can't get in - your steps are good, but never assume.
I know but like to see if there working solution in my case.....

sent from Kodi 17 Krypton
 
what is wrong with this rule? this rule should block all incoming connections to port 1234 except host with IP address 77.66.55.44....? but i test it and do not working...
Code:
iptables -A INPUT -p tcp -s 77.66.55.44 --dport 1234 -j ACCEPT
iptables -A INPUT -p tcp --dport 1234 -j REJECT
 
what is wrong with this rule?
That's impossible to say without knowing what the other rules of the INPUT chain are. But if I had to guess I'd say it's because you are adding (-A) the rules to the end of the chain, whereas you probably need to insert (-I) them at the beginning.
 
That's impossible to say without knowing what the other rules of the INPUT chain are. But if I had to guess I'd say it's because you are adding (-A) the rules to the end of the chain, whereas you probably need to insert (-I) them at the beginning.
do you have working solution for my case?

sent from Kodi 17 Krypton
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top