AsusWRT Merlin iptables

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

EarlGrey

New Around Here
Hello there!

I have several (smarthome) devices that phone home while that is not necessary due to local integration. To block devices from accessing the internet I usually use the 'Block Internet Access' function in the GUI.

It seems this function uses DROP to block access. The smarthome devices do not like this approach which results in disconnects. Using REJECT should solve this problem, that's why I created custom iptables rules (/jffs/scripts/firewall-start). The problem is, they do not work. Could someone have a look what I'm missing here?

iptables -A FORWARD -s 10.0.0.69 -o lo -j ACCEPT
iptables -A FORWARD -s 10.0.0.69 -d 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.0.0.45 -o lo -j ACCEPT
iptables -A FORWARD -s 10.0.0.45 -d 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.0.0.69 -j REJECT
iptables -A FORWARD -s 10.0.0.45 -j REJECT
 

ColinTaylor

Part of the Furniture
Router model? Firmware version?

My guess is that you need to insert the rules at the beginning of the forward chain. At the moment you are appending them after the final accept.
 
Last edited by a moderator:

dave14305

Part of the Furniture
What is the purpose of the rules accepting connections to the loopback interface (-o lo)? :confused:
 

EarlGrey

New Around Here
Router model? Firmware version?

My guess is that you need to insert the rules at the beginning of the forward chain. At the moment you are appending them after the final accept.
Apologies, that would be an Asus RT-AC68U with firmware 384.16. Could you please elaborate how to append these rules at the beginning of the forward chain?

What is the purpose of the rules accepting connections to the loopback interface (-o lo)? :confused:
I was lead by the following source https://unix.stackexchange.com/questions/396218/block-wan-access-allow-lan-access-linux-hosts
 

ColinTaylor

Part of the Furniture
Apologies, that would be an Asus RT-AC68U with firmware 384.16. Could you please elaborate how to append these rules at the beginning of the forward chain?
Use insert (-I) instead of append (-A). But I would only use the REJECT rules and leave the others out.

That's not a particularly good example to copy because they are talking about the firewall on a host, not the gateway device.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top