Asus RT-AC3100, Merlin, how to use iptables to prevent access to port/ip

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

dogf

Occasional Visitor
Hi,

I am using RT-AC3100, Merlin 386_3_2. I want to use iptables to prevent some internal IP to access to some IP, ports. But it does not work.

The internal IP is: 192.168.1.110
I want to prevent it to access to any address, tcp/udp, port 5222, I use these commands:

iptables -A INPUT -p tcp --dport 5222 -s 192.168.1.110 -j DROP
iptables -A INPUT -p udp --dport 5222 -s 192.168.1.110 -j DROP

But it does not work. :(.

Please help.
 

eibgrad

Very Senior Member
In general, if you append (-A) rules, they will have NO EFFECT, since the INPUT (and FORWARD) chain ends w/ an unconditional DROP rule. Any rules placed after that rule will never be reached. You need to insert (-I) them instead.

Code:
iptables -I INPUT -p tcp --dport 5222 -s 192.168.1.110 -j DROP
iptables -I INPUT -p udp --dport 5222 -s 192.168.1.110 -j DROP

So let's assume you corrected that problem.

This would prevent access to those protocols and ports for the router itself. But it would have NO EFFECT on other devices on the local network (i.e., the rest of 192.168.1.0/24). By definition, the INPUT chain alway refers to the router as its destination IP.
 

dogf

Occasional Visitor
In general, if you append (-A) rules, they will have NO EFFECT, since the INPUT (and FORWARD) chain ends w/ an unconditional DROP rule. Any rules placed after that rule will never be reached. You need to insert (-I) them instead.

Code:
iptables -I INPUT -p tcp --dport 5222 -s 192.168.1.110 -j DROP
iptables -I INPUT -p udp --dport 5222 -s 192.168.1.110 -j DROP

So let's assume you corrected that problem.

This would prevent access to those protocols and ports for the router itself. But it would have NO EFFECT on other devices on the local network (i.e., the rest of 192.168.1.0/24). By definition, the INPUT chain alway refers to the router as its destination IP.
So please suggest a good approache. Thank you.
 

ColinTaylor

Part of the Furniture
Are you trying to block access to these IPs/ports on the internet or your LAN?

If it's the internet you should use the Network Services Filter, that's what it's designed for.
 

eibgrad

Very Senior Member
I want to use iptables to prevent some internal IP to access to some IP, ports.

Prevent 192.168.1.110 from accessing *what* IP(s)?? As written, it will prevent access to the router on those ports. But if it's meant to prevent access to other IPs as well, is that on the LAN and/or internet? If it's the LAN, you can't use the router's IP firewall to deny access between local devices since they are bridged. The router's IP firewall only comes into play when routing is required in order for the two devices to communicate, which most often means between the LAN and WAN (i.e., internet).
 

dogf

Occasional Visitor
Prevent 192.168.1.110 from accessing *what* IP(s)?? As written, it will prevent access to the router on those ports. But if it's meant to prevent access to other IPs as well, is that on the LAN and/or internet? If it's the LAN, you can't use the router's IP firewall to deny access between local devices since they are bridged. The router's IP firewall only comes into play when routing is required in order for the two devices to communicate, which most often means between the LAN and WAN (i.e., internet).
I believe that prevent access to any IP (empty) is similar to "0.0.0.0/0". iptables is smart enough
 

ColinTaylor

Part of the Furniture
I believe that prevent access to any IP (empty) is similar to "0.0.0.0/0". iptables is smart enough
No. That will only block access to either the router or the internet (depending on what chain you use), it cannot block access to other devices on the LAN.

You still haven't answered the question of *what* you are trying to block access to. The router, the internet or the LAN?
 

dogf

Occasional Visitor
No. That will only block access to either the router or the internet (depending on what chain you use), it cannot block access to other devices on the LAN.

You still haven't answered the question of *what* you are trying to block access to. The router, the internet or the LAN?
I want to block to the Internet.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top