What's new

Solved How to block almost all UDP traffic on guest network 1?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Yota

Very Senior Member
I want to apply a stricter firewall for the guest network 1, to block all UDP traffic, of course basic services traffic like UDP 53 would be allowed, but, redirected to the router itself and answered by the router's own service, not the internet (this means that there is no way to masquerade as legitimate UDP traffic, as invalid requests will be dropped).

Background supplements:

I've recently purchased some IoT devices that I don't trust very much, and I can see them occasionally phoning home using udp, maybe some sort of status check, I'd like to block traffic like that, and reduce the attack surface because I'm very sure, these IoT devices work fine without UDP traffic.

What should I do to achieve it?
 
Last edited:
See the add-on YazFi script. It extends the features/options for WiFi Guest Networks.
Note: Currently YazFi doesn't work with AiMesh nodes.
 
See the add-on YazFi script. It extends the features/options for WiFi Guest Networks.
Note: Currently YazFi doesn't work with AiMesh nodes.
Thanks for your answer, but it won't help configuring the firewall to block all UDP traffic.
 
Thanks for your answer, but it won't help configuring the firewall to block all UDP traffic.
Why not use the custom firewall rules option in YazFi to drop UDP traffic for Guest Network clients?
 
YazFi is probably overkill for this task. Esp. if we're talking about guest #1, since it typically uses either the 192.168.101.x (2.4GHz) or 192.168.102.x (5GHz) networks, making it easy to distinguish from the private network (unlike guest #2 and #3).

You could try the following firewall-start script.

Code:
#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << 'EOF' > $SCRIPT
#!/bin/sh
iptables -I FORWARD -s 192.168.101.0/24 -p udp ! --dport 53 -j REJECT
iptables -I FORWARD -s 192.168.102.0/24 -p udp ! --dport 53 -j REJECT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi
:

Set "Enable JFFS custom scripts and configs" to Yes in Administration>System, ssh into the router, copy/paste the above script, and reboot.

P.S. You might like YazFi for other reasons, but I know some users would prefer to avoid AddOns if at all possible. There's always some risk involved w/ third-party scripting. And it sometimes makes dirty upgrades less likely to succeed. But YazFi is a very nice addition if you have the need for those specific features.
 
Last edited:
YazFi is probably overkill for this task. Esp. if we're talking about guest #1, since it typically uses either the 192.168.101.x (2.4GHz) or 192.168.102.x (5GHz) networks, making it easy to distinguish from the private network (unlike guest #2 and #3).

You could try the following firewall-start script.

Code:
#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << 'EOF' > $SCRIPT
#!/bin/sh
iptables -I FORWARD -s 192.168.101.0/24 -p udp ! --dport 53 -j REJECT
iptables -I FORWARD -s 192.168.102.0/24 -p udp ! --dport 53 -j REJECT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi
:

Set "Enable JFFS custom scripts and configs" to Yes in Administration>System, ssh into the router, copy/paste the above script, and reboot.

P.S. You might like YazFi for other reasons, but I know some users would prefer to avoid AddOns if at all possible. There's always some risk involved w/ third-party scripting. And it sometimes makes dirty upgrades less likely to succeed. But YazFi is a very nice addition if you have the need for those specific features.
Thanks that's what I'm talking about.

However, is there a way out there to block all UDP traffic from guest network 1 using iptables?

Not just 53, I want to block all UDP requests (except UDP traffic for DHCP and DNS, but 53 will be hijacked to the router's own DNS server)


In other words, UDP is so bad that it creates a way to open firewalls for these untrusted devices, so I want to disable UDP and just use TCP, so the firewall can drop invalid packets based on TCP state.
 
Thanks that's what I'm talking about.

However, is there a way out there to block all UDP traffic from guest network 1 using iptables?

Not just 53, I want to block all UDP requests (except DNS and UDP traffic for DHCP, but 53 will be hijacked to the router's own DNS server)


In other words, UDP is so bad that it creates a way to open firewalls for these untrusted devices, so I want to disable UDP and just use TCP, so the firewall can drop invalid packets based on TCP state.

That's what the script does! It denies all forwarding to the internet (WAN or VPN) for UDP purposes except DNS (port 53).
 
That's what the script does! It denies all forwarding to the internet (WAN or VPN) for UDP purposes except DNS (port 53).
I don't know anything about iptables, I thought it was just rejecting UDP 53, thanks for the explanation, this looks great, this workaround is very simple, just two lines of code, I think when combined with DNSFilter's global filter it works will work great, thanks a lot.
 
Like to keep things simple, thanks again


Code:
if [ -f /jffs/scripts/firewall-start ]; then echo 'error: firewall-start already exists; requires manual installation'; else printf '#!/bin/sh\niptables -I FORWARD -s 192.168.101.0/24 -p udp ! --dport 53 -j REJECT\niptables -I FORWARD -s 192.168.102.0/24 -p udp ! --dport 53 -j REJECT\n' > /jffs/scripts/firewall-start; chmod 0755 /jffs/scripts/firewall-start; echo 'Done.'; fi
 
Last edited:
<snip>...You could try the following firewall-start script...<snip>

<snip>...And it sometimes makes dirty upgrades less likely to succeed...<snip>
thanks for that script @eibgrad - I'll take the advisement, re: dirty upgrades - as I do so few... well worth the tradeoff...
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top