What's new

AC88U - 386.1_2 fw block internet issue

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Where is the blocked device connected? Main router or a node? Primary WiFi network or guest network?

The blocking is only setup for br0, but not br1 or br2 (Guest Networks #1).

I don’t know how the iptables rules would handle a connection from a node, but as long as it’s from an IP and it sees the traffic on br0 interface it should work.

My thought on IPv6 was whether or not the blocking took effect on IPv6 firewall or not. But if it’s not enabled, no matter.
 
Where is the blocked device connected? Main router or a node? Primary WiFi network or guest network?

The blocking is only setup for br0, but not br1 or br2 (Guest Networks #1).

I don’t know how the iptables rules would handle a connection from a node, but as long as it’s from an IP and it sees the traffic on br0 interface it should work.

My thought on IPv6 was whether or not the blocking took effect on IPv6 firewall or not. But if it’s not enabled, no matter.

I just realized something.
If I block access of 192.168.254.20 , it does not appear in iptables , and it does NOT get blocked.
If I block another IP (192.168.254.195 in my previous post) , it goes into iptables and gets blocked.

What is special with 192.168.254.20 ?
it has some port mappings, but is it related ?

it is connected via ethernet port.
actually while the block is being applied , I check with "İptables -S FORWARD" and I see the IP added to table for a second, then it goes out...
 
any ideas ?
what should I check ?
is there a log for iptables that I could check why it adds 192.168.254.20 to the table and then removes ?
 
You can inspect the /tmp/filter_rules file to see if it looks like the output of iptables -S. If the block is still there in the file, but disappears from iptables later, then something outside of the main firewall code might be removing it. That’s just speculation since I’ve never seen that behavior before, but I also don’t usually block anything either so I’m not a good test case.
 
you are correct. it stays there :

Code:
admin@RT-AC88U-DF80:/tmp/home/root# cat /tmp/filter_rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:INPUT_PING - [0:0]
:INPUT_ICMP - [0:0]
:FUPNP - [0:0]
:SECURITY - [0:0]
:ACCESS_RESTRICTION - [0:0]
:other2wan - [0:0]
:OVPN - [0:0]
:DNSFILTER_DOT - [0:0]
:NSFW - [0:0]
:PControls - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:PTCSRVWAN - [0:0]
:PTCSRVLAN - [0:0]
:ipttolan - [0:0]
:iptfromlan - [0:0]
-I FORWARD -i br0 -j iptfromlan
-I FORWARD -o br0 -j ipttolan
-A ipttolan -i ppp0 -m account --aaddr 192.168.254.0/255.255.255.0 --aname lan -j RETURN
-A iptfromlan -o ppp0 -m account --aaddr 192.168.254.0/255.255.255.0 --aname lan -j RETURN
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i br0 -s 192.168.254.20 -j DROP
-A INPUT -p icmp --icmp-type 8 -j INPUT_PING
-A INPUT_PING -i ppp0 -p icmp -j logdrop
-A INPUT_PING -i eth0 -p icmp -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -m conntrack --ctstate DNAT -p tcp -m tcp -d 192.168.254.1 --dport 8443 -j ACCEPT
-N SSHBFP
-A SSHBFP -m recent --set --name SSH --rsource
-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j logdrop
-A SSHBFP -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j SSHBFP
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT_ICMP -p icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A INPUT -i br1 -p udp --dport 53 -j ACCEPT
-A INPUT -i br1 -p udp --dport 67 -j ACCEPT
-A INPUT -i br1 -p udp --dport 68 -j ACCEPT
-A INPUT -i br1 -j DROP
-A INPUT -j logdrop
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD -i br1 -o ppp0 -j ACCEPT
-A FORWARD -o ppp0 ! -i br0 -j other2wan
-A FORWARD -o eth0 ! -i br0 -j logdrop
-A other2wan -i tun+ -j RETURN
-A other2wan -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A PControls -i br0 -o br0 -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A PControls -m state --state INVALID -j logdrop
-A FORWARD -i ppp0 -j SECURITY
-A PControls -j NSFW
-A FORWARD -j NSFW
-A PControls -j logdrop
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A SECURITY -p tcp --syn -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --syn -j logdrop
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j logdrop
-A SECURITY -p icmp --icmp-type 8 -m limit --limit 1/s -j RETURN
-A SECURITY -p icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A FORWARD -j logdrop
COMMIT

but not in the chain :

Code:
admin@RT-AC88U-DF80:/tmp/home/root# iptables -S FORWARD
-P FORWARD DROP
-A FORWARD -o br0 -j ipttolan
-A FORWARD -i br0 -j iptfromlan
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD -i br1 -o ppp0 -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j other2wan
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i ppp0 -j SECURITY
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -j logdrop

so now what ? what should I check ?
 
See where else that IP or MAC might be defined in your settings or custom scripts.
Code:
nvram show 2>/dev/null | grep -F "192.168.254.20"
grep -F "192.168.254.20" /jffs/scripts/* /jffs/configs/*
If nothing, try the same commands with the MAC address instead of IP.
 
got it. thx.

the IP is in /jffs/scripts/firewall-start script

I don'T remember why I did this but the script deletes DROP lines for 4 IP addresses if the primary WAN is active:

Code:
# Allow/Deny Primary WAN (WAN0) access for specified LAN devices
if [ "$FIBER_ACTIVE" = "1" ]; then
   logger -st "($(basename $0))" $$ Allowing Primary WAN "(WAN0)" access for 192.168.254.199 , 192.168.254.37 , 192.168.254.38 , 192.168.254.20
   iptables -D FORWARD -i br0 -s 192.168.254.199 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.37 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.38 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.20 -j DROP 2> /dev/null
else
   logger -st "($(basename $0))" $$ Blocking Secondary WAN "(WAN1)" access for 192.168.254.199 , 192.168.254.37 , 192.168.254.38 , 192.168.254.20
   iptables -D FORWARD -i br0 -s 192.168.254.199 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.37 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.38 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.20 -j DROP 2>/dev/null
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.199 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.37 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.38 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.20 -j DROP
fi

I really don't remember why I added this.
and I don't know what the seconf part is doing with this command:
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.20 -j DROP
 
got it. thx.

the IP is in /jffs/scripts/firewall-start script

I don'T remember why I did this but the script deletes DROP lines for 4 IP addresses if the primary WAN is active:

Code:
# Allow/Deny Primary WAN (WAN0) access for specified LAN devices
if [ "$FIBER_ACTIVE" = "1" ]; then
   logger -st "($(basename $0))" $$ Allowing Primary WAN "(WAN0)" access for 192.168.254.199 , 192.168.254.37 , 192.168.254.38 , 192.168.254.20
   iptables -D FORWARD -i br0 -s 192.168.254.199 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.37 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.38 -j DROP 2> /dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.20 -j DROP 2> /dev/null
else
   logger -st "($(basename $0))" $$ Blocking Secondary WAN "(WAN1)" access for 192.168.254.199 , 192.168.254.37 , 192.168.254.38 , 192.168.254.20
   iptables -D FORWARD -i br0 -s 192.168.254.199 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.37 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.38 -j DROP 2>/dev/null
   iptables -D FORWARD -i br0 -s 192.168.254.20 -j DROP 2>/dev/null
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.199 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.37 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.38 -j DROP
   iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.20 -j DROP
fi

I really don't remember why I added this.
and I don't know what the seconf part is doing with this command:
iptables -I FORWARD "$(($(iptables -nvL FORWARD --line -t filter | grep "state INVALID" | cut -d' ' -f1)+1))" -i br0 -s 192.168.254.20 -j DROP
The gun doesn’t smoke much more than that.
 
Hi guys, I don't know if you can help me. I just flashed my ac86u yesterday with 386.2 from 384.18. When I click on a client and select the block internet access option, the internet stops working for every device. I have no idea why this is happening when it wasn't the case before. I'm assuming no one is experiencing the same issue? Is there a way I could check what is happening worth iptables commands? Thanks
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top