Menu
What's new
By:
Filters Better Search

Asus RT-AC3100, Merlin, how to use iptables to prevent access to port/ip

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

dogf

Occasional Visitor
Hi,

I am using RT-AC3100, Merlin 386_3_2. I want to use iptables to prevent some internal IP to access to some IP, ports. But it does not work.

The internal IP is: 192.168.1.110
I want to prevent it to access to any address, tcp/udp, port 5222, I use these commands:

iptables -A INPUT -p tcp --dport 5222 -s 192.168.1.110 -j DROP
iptables -A INPUT -p udp --dport 5222 -s 192.168.1.110 -j DROP

But it does not work. :(.

Please help.
 
In general, if you append (-A) rules, they will have NO EFFECT, since the INPUT (and FORWARD) chain ends w/ an unconditional DROP rule. Any rules placed after that rule will never be reached. You need to insert (-I) them instead.

Code: 
iptables -I INPUT -p tcp --dport 5222 -s 192.168.1.110 -j DROP
iptables -I INPUT -p udp --dport 5222 -s 192.168.1.110 -j DROP

So let's assume you corrected that problem.

This would prevent access to those protocols and ports for the router itself. But it would have NO EFFECT on other devices on the local network (i.e., the rest of 192.168.1.0/24). By definition, the INPUT chain alway refers to the router as its destination IP.
 
eibgrad said:
In general, if you append (-A) rules, they will have NO EFFECT, since the INPUT (and FORWARD) chain ends w/ an unconditional DROP rule. Any rules placed after that rule will never be reached. You need to insert (-I) them instead.

Code: 
iptables -I INPUT -p tcp --dport 5222 -s 192.168.1.110 -j DROP
iptables -I INPUT -p udp --dport 5222 -s 192.168.1.110 -j DROP

So let's assume you corrected that problem.

This would prevent access to those protocols and ports for the router itself. But it would have NO EFFECT on other devices on the local network (i.e., the rest of 192.168.1.0/24). By definition, the INPUT chain alway refers to the router as its destination IP.
Click to expand...
So please suggest a good approache. Thank you.
 
Are you trying to block access to these IPs/ports on the internet or your LAN?

If it's the internet you should use the Network Services Filter, that's what it's designed for.
 
dogf said:
I want to use iptables to prevent some internal IP to access to some IP, ports.
Click to expand...

Prevent 192.168.1.110 from accessing *what* IP(s)?? As written, it will prevent access to the router on those ports. But if it's meant to prevent access to other IPs as well, is that on the LAN and/or internet? If it's the LAN, you can't use the router's IP firewall to deny access between local devices since they are bridged. The router's IP firewall only comes into play when routing is required in order for the two devices to communicate, which most often means between the LAN and WAN (i.e., internet).
 
eibgrad said:
Prevent 192.168.1.110 from accessing *what* IP(s)?? As written, it will prevent access to the router on those ports. But if it's meant to prevent access to other IPs as well, is that on the LAN and/or internet? If it's the LAN, you can't use the router's IP firewall to deny access between local devices since they are bridged. The router's IP firewall only comes into play when routing is required in order for the two devices to communicate, which most often means between the LAN and WAN (i.e., internet).
Click to expand...
I believe that prevent access to any IP (empty) is similar to "0.0.0.0/0". iptables is smart enough
 
dogf said:
I believe that prevent access to any IP (empty) is similar to "0.0.0.0/0". iptables is smart enough
Click to expand...
No. That will only block access to either the router or the internet (depending on what chain you use), it cannot block access to other devices on the LAN.

You still haven't answered the question of *what* you are trying to block access to. The router, the internet or the LAN?
 
ColinTaylor said:
No. That will only block access to either the router or the internet (depending on what chain you use), it cannot block access to other devices on the LAN.

You still haven't answered the question of *what* you are trying to block access to. The router, the internet or the LAN?
Click to expand...
I want to block to the Internet.
 
You must log in or register to reply here.

Similar threads

SkierInAvon
Asus Merlin - iptables command (not working?)
Replies
8
Views
544
SkierInAvon
SkierInAvon
H
Solved Beginners firewall question.
Replies
6
Views
784
Henk-J
H
GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
133
GShlomi
GShlomi
G
VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN
Replies
4
Views
398
Grefyne
G
R
Script to detect backup wan and disable certain devices from internet access
Replies
0
Views
332
RandomUser777
R
Similar threads
Thread starter Title Forum Replies Date
B Asus AC3100 router 5GHz issue (router dying?) Asuswrt-Merlin 4
C Question: ASUS RT-AC3100 to SonicWall VPN Setip Asuswrt-Merlin 0
B Asus RT-AC5300 and ExpressVPN Asuswrt-Merlin 8
T Asus RT-AX86U vs RT-AX68U (with Merlin cake SQM) Asuswrt-Merlin 9
Coldblackice Does ASUS Merlin's QoS consider DSCP? Asuswrt-Merlin 3
JA93 iVentoy on Asus Merlin Asuswrt-Merlin 1
M [🙏 Feature request For Asus Merlin] Add Public WiFi Mode for GT-AX11000 Asuswrt-Merlin 7
A Asus Merlin 388.6_2 VPN-Director Asuswrt-Merlin 5
S Issues compiling Realtek RTL8156 (r8152) driver for ASUS RT-AX86U Asuswrt-Merlin 2
D Asus XT8 HW1 & HW2 Asus-wrt Merlin GNUton Asuswrt-Merlin 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 766 (members: 25, guests: 741)
Top