Asus Merlin - iptables command (not working?)

[SkierInAvon]

Trying to use Asus-Merlin on my RT-AX56U and IPTABLES to block all traffic from a specific public IP address.
First, SSH into Asus Merlin as admin from the LAN interface.

Issue Command: iptables -A INPUT -s 209.193.73.210 -j DROP

Command seems to execute (no errors reported) yet I can still PING and Telnet to port 110 (209.193.73.210) after issuing the simple command.

HUH? What am I missing?

Thanks,

-pete

 

[ColinTaylor]

You should use -I instead of -A

Bear in mind this only blocks traffic destined for the router itself. It has no effect on traffic forwarded to the LAN.

 

[SkierInAvon]

You should use -I instead of -A

Bear in mind this only blocks traffic destined for the router itself. It has no effect on traffic forwarded to the LAN.

Thanks. However I do want to block (some) traffic from the public internet, that tries to reach my LAN, specifically TCP Port 25 inbound traffic that the Asus is set to forward to my email server on the LAN...

Do you know the specific IPTABLES syntax that will block that TCP Port 25 traffic from a specific public IP address?

-Thanks

-pete

 

[ColinTaylor]

Then you would use the FORWARD chain rather than INPUT. Try this:

iptables -I FORWARD -s 209.193.73.210 -d 192.168.50.10 -p tcp --dport 25 -j DROP

Change the destination address to that of your mail server.

 

[SkierInAvon]

Then you would use the FORWARD chain rather than INPUT. Try this:

iptables -I FORWARD -s 209.193.73.210 -d 192.168.50.10 -p tcp --dport 25 -j DROP

Change the destination address to that of your mail server.

Thanks Colin! I followed your syntax to the letter - changed 192.168.50.10 to my email server 10.0.253.4 and tried it...
No Joy...I think what I (maybe?) learning is that...when you use AsusMerlin Browser Interface and Port Forward TCP/25 to 10.0.253.4...that (web browser Asus forwarding) takes precedent over any additional IP Tables "commands" you might want to setup...
I remoted into my email server 10.0.254.4 and opened a Telnet session (port 25) to 209.193.73.210 and it still connected. Seems like once you configure your WAN Interface to forward TCP port 25...it's (game over??) after that point. Thanks again for taking the time to reply.
-pete

 

[ColinTaylor]

I remoted into my email server 10.0.254.4 and opened a Telnet session (port 25) to 209.193.73.210 and it still connected. Seems like once you configure your WAN Interface to forward TCP port 25...it's (game over??) after that point.

Sorry, I thought you wanted to do this the other way around?

You said you wanted to block connections (from the internet) coming into your router and being forwarded to a mail server on your LAN (10.0.254.4).

Now you're saying that you're trying to block outgoing connections from 10.0.254.4 to 209.193.73.210. I'm confused.

 

[SkierInAvon]

Thanks Colin! I followed your syntax to the letter - changed 192.168.50.10 to my email server 10.0.253.4 and tried it...
No Joy...I think what I (maybe?) learning is that...when you use AsusMerlin Browser Interface and Port Forward TCP/25 to 10.0.253.4...that (web browser Asus forwarding) takes precedent over any additional IP Tables "commands" you might want to setup...
I remoted into my email server 10.0.254.4 and opened a Telnet session (port 25) to 209.193.73.210 and it still connected. Seems like once you configure your WAN Interface to forward TCP port 25...it's (game over??) after that point. Thanks again for taking the time to reply.
-pete

 

[SkierInAvon]

FIXED! and Working! Asus Merlin now "protecting my email server" Example below.

Example is from my: /jffs/scripts/firewall-start

Subnet 101.53.144.0 is located in Noida (Bakhtāwarpur), India
I have no interest in allowing (any) connections to my email server - from anywhere inside of India.

EXAMPLE: iptables -I FORWARD -s 101.53.144.0/24 -j DROP

Thanks again!!!

 

[SkierInAvon]

FIXED! and Working! Asus Merlin now "protecting my email server" Example below.

Example is from my: /jffs/scripts/firewall-start

Subnet 101.53.144.0 is located in Noida (Bakhtāwarpur), India
I have no interest in allowing (any) connections to my email server - from anywhere inside of India.

EXAMPLE: iptables -I FORWARD -s 101.53.144.0/24 -j DROP

Thanks again!!!

Yes, A reply and a thank you!
-pete