@FreshJR Can you double check that. In John's firmware it only blocks LAN to WAN, not WAN to LAN.
The reason being that the netfilter rules generated include the in-interface and out-interface. Here is the rule generated if I try to block a source address of 1.2.3.4 and a destination of 192.168.1.33.
-A FORWARD -s 1.2.3.4/32 -d 192.168.1.33/32 -i br0 -o eth0 -p tcp -j DROP
@colin &
@digdesdev, you are correct. Now, the second time around, when I checked iptables I actually did see the "-i br0 -o eth0" specifcation within NSFW chain individual rules. The main FORWARD rule responsible for directing traffic into the NSFW chain does not limit via interface!
So OP was correct. Netfilter:
1) is
only performing LAN -> WAN filtering
2) is not performing WAN -> LAN filtering
3) is not performing filtering on locally destined/generated router traffic.
Thanks for notifying me of this shortcoming!!! Redacted my previous post.
I originally thought it was both directions since the initial rule directing traffic into the NSFW chain had ANY as the interfaces listed.
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 NSFW all -- any any anywhere anywhere
I now see that they DO specify interfaces within the individual rules within NSFW chain!
Code:
Chain NSFW (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- br0 eth0 192.168.2.100 anywhere
EDIT:
OP If you already have firewall-start created (from installing other scripts), you can use the following code.
Code:
echo 'iptables -D FORWARD -s 75.75.75.75/32 -d 192.168.1.100/32 -j DROP' >> /jffs/scripts/firewall-start
echo 'iptables -A FORWARD -s 75.75.75.75/32 -d 192.168.1.100/32 -j DROP' >> /jffs/scripts/firewall-start
If you do not have firewall-start created you can use the following code. (NOTE: This will overwrite existing firewall start if it exists.)
Code:
echo '#!/bin/sh' > /jffs/scripts/firewall-start
echo 'iptables -D FORWARD -s 75.75.75.75/32 -d 192.168.1.100/32 -j DROP' >> /jffs/scripts/firewall-start
echo 'iptables -A FORWARD -s 75.75.75.75/32 -d 192.168.1.100/32 -j DROP' >> /jffs/scripts/firewall-start
chmod 755 /jffs/scripts/firewall-start
Look up CIDR calulator to define ipranges.
"-s" = block these originating ipranges
"-d" = if they are directed towards these destined ip ranges
--
If you want to limit by destination ports instead desitnation IP's I can provide the alternative syntax.