Solved How to block almost all UDP traffic on guest network 1?

Yota

Very Senior Member
I want to apply a stricter firewall for the guest network 1, to block all UDP traffic, of course basic services traffic like UDP 53 would be allowed, but, redirected to the router itself and answered by the router's own service, not the internet (this means that there is no way to masquerade as legitimate UDP traffic, as invalid requests will be dropped).

Background supplements:

I've recently purchased some IoT devices that I don't trust very much, and I can see them occasionally phoning home using udp, maybe some sort of status check, I'd like to block traffic like that, and reduce the attack surface because I'm very sure, these IoT devices work fine without UDP traffic.

What should I do to achieve it?
 
Last edited:

bennor

Very Senior Member
See the add-on YazFi script. It extends the features/options for WiFi Guest Networks.
Note: Currently YazFi doesn't work with AiMesh nodes.
 

Yota

Very Senior Member
See the add-on YazFi script. It extends the features/options for WiFi Guest Networks.
Note: Currently YazFi doesn't work with AiMesh nodes.
Thanks for your answer, but it won't help configuring the firewall to block all UDP traffic.
 

eibgrad

Part of the Furniture
YazFi is probably overkill for this task. Esp. if we're talking about guest #1, since it typically uses either the 192.168.101.x (2.4GHz) or 192.168.102.x (5GHz) networks, making it easy to distinguish from the private network (unlike guest #2 and #3).

You could try the following firewall-start script.

Code:
#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << 'EOF' > $SCRIPT
#!/bin/sh
iptables -I FORWARD -s 192.168.101.0/24 -p udp ! --dport 53 -j REJECT
iptables -I FORWARD -s 192.168.102.0/24 -p udp ! --dport 53 -j REJECT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi
:

Set "Enable JFFS custom scripts and configs" to Yes in Administration>System, ssh into the router, copy/paste the above script, and reboot.

P.S. You might like YazFi for other reasons, but I know some users would prefer to avoid AddOns if at all possible. There's always some risk involved w/ third-party scripting. And it sometimes makes dirty upgrades less likely to succeed. But YazFi is a very nice addition if you have the need for those specific features.
 
Last edited:

Yota

Very Senior Member
YazFi is probably overkill for this task. Esp. if we're talking about guest #1, since it typically uses either the 192.168.101.x (2.4GHz) or 192.168.102.x (5GHz) networks, making it easy to distinguish from the private network (unlike guest #2 and #3).

You could try the following firewall-start script.

Code:
#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << 'EOF' > $SCRIPT
#!/bin/sh
iptables -I FORWARD -s 192.168.101.0/24 -p udp ! --dport 53 -j REJECT
iptables -I FORWARD -s 192.168.102.0/24 -p udp ! --dport 53 -j REJECT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi
:

Set "Enable JFFS custom scripts and configs" to Yes in Administration>System, ssh into the router, copy/paste the above script, and reboot.

P.S. You might like YazFi for other reasons, but I know some users would prefer to avoid AddOns if at all possible. There's always some risk involved w/ third-party scripting. And it sometimes makes dirty upgrades less likely to succeed. But YazFi is a very nice addition if you have the need for those specific features.
Thanks that's what I'm talking about.

However, is there a way out there to block all UDP traffic from guest network 1 using iptables?

Not just 53, I want to block all UDP requests (except UDP traffic for DHCP and DNS, but 53 will be hijacked to the router's own DNS server)


In other words, UDP is so bad that it creates a way to open firewalls for these untrusted devices, so I want to disable UDP and just use TCP, so the firewall can drop invalid packets based on TCP state.
 

eibgrad

Part of the Furniture
Thanks that's what I'm talking about.

However, is there a way out there to block all UDP traffic from guest network 1 using iptables?

Not just 53, I want to block all UDP requests (except DNS and UDP traffic for DHCP, but 53 will be hijacked to the router's own DNS server)


In other words, UDP is so bad that it creates a way to open firewalls for these untrusted devices, so I want to disable UDP and just use TCP, so the firewall can drop invalid packets based on TCP state.

That's what the script does! It denies all forwarding to the internet (WAN or VPN) for UDP purposes except DNS (port 53).
 

Yota

Very Senior Member
That's what the script does! It denies all forwarding to the internet (WAN or VPN) for UDP purposes except DNS (port 53).
I don't know anything about iptables, I thought it was just rejecting UDP 53, thanks for the explanation, this looks great, this workaround is very simple, just two lines of code, I think when combined with DNSFilter's global filter it works will work great, thanks a lot.
 

Yota

Very Senior Member
Like to keep things simple, thanks again


Code:
if [ -f /jffs/scripts/firewall-start ]; then echo 'error: firewall-start already exists; requires manual installation'; else printf '#!/bin/sh\niptables -I FORWARD -s 192.168.101.0/24 -p udp ! --dport 53 -j REJECT\niptables -I FORWARD -s 192.168.102.0/24 -p udp ! --dport 53 -j REJECT\n' > /jffs/scripts/firewall-start; chmod 0755 /jffs/scripts/firewall-start; echo 'Done.'; fi
 
Last edited:

thecheapseats

Senior Member
<snip>...You could try the following firewall-start script...<snip>

<snip>...And it sometimes makes dirty upgrades less likely to succeed...<snip>
thanks for that script @eibgrad - I'll take the advisement, re: dirty upgrades - as I do so few... well worth the tradeoff...
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top