"MAC address White-List" script fails in Merlin

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

list

New Around Here
Hello,

Asus RT-AC88u
Merlin version 386.2_4

I'm switching from dd-wrt to Merlin.
Unfortunately, I can't get my dd-wrt "MAC address White-List" script to run in Merlin.
It works for dd-wrt, but fails for Merlin.

Below is my "White List" firewall script.
It grants access to devices with MAC addresses contained in its list, and blocks all other devices.
This script filters traffic on *ALL* networks: LAN, WiFi, and GUEST.
Code:
#!/bin/sh

# NOTE: This script is based on "forum.dd-wrt.com/phpBB2/viewtopic.php?t=328075&highlight=man+whitelist"

# Initial setup (install kernel module, create chain, etc.)
insmod      xt_comment   #allow iptables comments: "-m comment ..." (needed by Asus Merlin only)
iptables -N MAC_WhiteList                           -m comment --comment "Create user-defined MAC_WhiteList chain"
iptables -A MAC_WhiteList -j DROP -s 169.254.0.0/16 -m comment --comment "Appends jump: DROP 169.254.0.0/16 to MAC_WhiteList chain.  (169.254.x.x allows communication between devices without using DHCP/static IP addresses.)"

# Device(s) (MAC address rules):
iptables -A MAC_WhiteList -j RETURN -m mac --mac-source <MAC address-1> -m comment --comment "device-1"
iptables -A MAC_WhiteList -j RETURN -m mac --mac-source <MAC address-2> -m comment --comment "device-2"
iptables -A MAC_WhiteList -j RETURN -m mac --mac-source <MAC address-3> -m comment --comment "device-3"

# Interface rules
iptables -A MAC_WhiteList -j DROP                 -m comment --comment "Append jump: DROP to bottom of MAC_WhiteList chain"
iptables -I FORWARD 1     -j MAC_WhiteList -i br0 -m comment --comment "Prepend jump: MAC_WhiteList br0 LAN/WiFi           interface to top of FORWARD chain"
iptables -I INPUT   1     -j MAC_WhiteList -i br0 -m comment --comment "Prepend jump: MAC_WhiteList br0 LAN/WiFi           interface to top of INPUT chain"
iptables -I FORWARD 1     -j MAC_WhiteList -i br1 -m comment --comment "Prepend jump: MAC_WhiteList br1 2.4 GHz GUEST WiFi interface to top of FORWARD chain"
iptables -I INPUT   1     -j MAC_WhiteList -i br1 -m comment --comment "Prepend jump: MAC_WhiteList br1 2.4 GHz GUEST WiFi interface to top of INPUT chain"
iptables -I FORWARD 1     -j MAC_WhiteList -i br2 -m comment --comment "Prepend jump: MAC_WhiteList br2 5.0 GHz GUEST WiFi interface to top of FORWARD chain"
iptables -I INPUT   1     -j MAC_WhiteList -i br2 -m comment --comment "Prepend jump: MAC_WhiteList br2 5.0 GHz GUEST WiFi interface to top of INPUT chain"
Modifications to move this script to Merlin:
1) Changed the interface names to br0, br1, and br2.
("route -n" gives the names of the interfaces as: br0 (LAN/WiFi), br1 (2.4GHz), and br2 (5.0GHz).)
2) Added "insmod xt_comment" to allow comments in the iptables.

To install this script, I "scp" it into the router to "/jffs/script/firewall.user". Then ssh login, and make it executable.
I manually run it, and get no errors.
Next, reboot. ssh login again. Check that the rules have loaded by "iptables -L -v -n". All rules have loaded.
Then I test it with one device on the MAC filter list, and another device not on the MAC filter list.
Unfortunately, it allows *ALL* devices access to the internet. No device is blocked.

I'd appreciate any guidance as to what I'm doing wrong in my Merlin port.

Thank you.
 

dave14305

Part of the Furniture
To install this script, I "scp" it into the router to "/jffs/script/firewall.user". Then ssh login, and make it executable.
I manually run it, and get no errors.
Next, reboot. ssh login again. Check that the rules have loaded by "iptables -L -v -n". All rules have loaded.
Is your script being called by /jffs/scripts/firewall-start ? firewall.user has no meaning in Merlin, so it needs to be called from within firewall-start.
 

list

New Around Here
Hello dave14305,
Thank you for your reply.

Based on your file naming information:
I placed my firewall script in "/jffs/scripts/firewall-start".
Rebooted. Listed the firewall rules with "iptables -L -v -n | more". The new rules from "/jffs/scripts/firewall-start" were present.
Tested the device access. It worked! MAC filtering worked.

* Question:
The directory "/jffs/scripts/" was initially EMPTY. There was no *SYSTEM* file named "/jffs/scripts/firewall-start".
So I just named my *CUSTOM* file "/jffs/scripts/firewall-start".
Shouldn't there exist a *SYSTEM* file into which I add a call to my *CUSTOM* file?
Is it safe for me to name my *CUSTOM* file "/jffs/scripts/firewall-start"?

Again, thanks for the help. Much appreciated.
 

dave14305

Part of the Furniture
Shouldn't there exist a *SYSTEM* file into which I add a call to my *CUSTOM* file?
No, since they're optional. They are invoked if they exist, but not otherwise.
Wiki:
 

list

New Around Here
Hello dave14305,
Thank you for the instructive link, and for the help solving my problem.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top