Blocking IP Range

[AnthonyArmato]

My firewall-start file is also being deleted after rebooting the router it seems.

 

[AnthonyArmato]

Finally got it. Not sure what I was doing wrong to begin with but it's all set now.
Thanks !

 

[Mistermoonlight]

I am happy you made it.

Thanks to RMerlin for this firmware that allows us to dig under the hood of this router

 

[AnthonyArmato]

Absolutely.

 

[AnthonyArmato]

Now that I'm looking more into this I ran across a server list that uses REJECT and not DROP, which they said is a better solution. They also use the following.

iptables -A OUTPUT -o br0 -d IP-HERE -j REJECT

Whereas I was using.

iptables -i br0 -A INPUT -s IP-HERE -j DROP

But have now changed to REJECT.

My question is which way is better ? One saying OUTPUT and one INPUT is where I think I'm confused this time.

 

[RMerlin]

REJECT means you will return a connection refused reply back.

DROP means you silently ignore the packet, and the other end will wait until its connection attempt times out.

First one is "cleaner", second one is "stealthier". Depends on your particular need in this case.

 

[AnthonyArmato]

And what about INPUT vs OUTPUT ? Does that make any difference ?

 

[RMerlin]

And what about INPUT vs OUTPUT ? Does that make any difference ?

They're two totally different tables. INPUT is traffic coming to the router, and OUTPUT is traffic leaving your router. So, it depends what you are actually trying to do.

 

[AnthonyArmato]

So I would need use INPUT to block connections to IPs coming in from my modem, correct ?

OUTPUT would be used to block ME trying to connect to a specified IP ?

 

[RMerlin]

So I would need use INPUT to block connections to IPs coming in from my modem, correct ?

OUTPUT would be used to block ME trying to connect to a specified IP ?

In a nutshell, yes.

 

[AnthonyArmato]

Does this method not work with blocking website based ads ?

 

[RMerlin]

Does this method not work with blocking website based ads ?

You would have to put a LOT of rules, which would significantly remove traffic performance. Every single packet would have to be checked against every single rules.

 

[AnthonyArmato]

Well yeah. I'm asking because I added all of doubleclick's domains that I could find listed yet I can still see the ads loading on webpages when I disable AdBlock. And the ads point to domain names I've listed to reject.

Specifically this one: iptables -o br0 -A OUTPUT -s ad-g.doubleclick.net -j REJECT

Any suggestions would be greatly appreciated.

 

[RMerlin]

Well yeah. I'm asking because I added all of doubleclick's domains that I could find listed yet I can still see the ads loading on webpages when I disable AdBlock. And the ads point to domain names I've listed to reject.

Specifically this one: iptables -o br0 -A OUTPUT -s ad-g.doubleclick.net -j REJECT

Any suggestions would be greatly appreciated.

Your traffic output goes through eth0, NOT br0 (which is the LAN, and therefore the inbound in your case).

 

[AnthonyArmato]

So I need iptables -o eth0 -A OUTPUT -s ad-g.doubleclick.net -j REJECT ?

 

[RMerlin]

So I need iptables -o eth0 -A OUTPUT -s ad-g.doubleclick.net -j REJECT ?

That should work - give it a try.

 

[AnthonyArmato]

Doesn't seem to be working.

 

[AnthonyArmato]

I'm out of ideas. I've tried it several ways and cannot seem to get it to block anything.

 

[RMerlin]

Your last rule tries to block doubleclick as if it was a source, while it's in fact a destination.

 

[AnthonyArmato]

So what do I use ? Completely lost.