1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[SOLVED] Asus boot up wont call iptables command script

Discussion in 'Asuswrt-Merlin' started by alienx2, Jul 10, 2018.

  1. alienx2

    alienx2 Regular Contributor

    Joined:
    Dec 10, 2015
    Messages:
    54
    Im having problem with Asus boot up cant call command one line.

    i added to one script in /jffs/scripts/post-mount:
    Code:
    iptables -I FORWARD -i br0 -m set ! --match-set NAME src,src -j REJECT
    (other lines like ipset,etc was working but ‘iptables' not working)

    after boot up, i enter “iptables —list”… i wonder why its not on list..
    even also tested with ‘sh run.sh’ not working on boot up.

    i tried enter that line by manual.. its working and on list… any one help?

    im running this script on Asus AC66U..
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    707
    Have you set the execution bit?

    Code:
    chmod +x /jffs/scripts/post-mount
     
    daviworld likes this.
  4. alienx2

    alienx2 Regular Contributor

    Joined:
    Dec 10, 2015
    Messages:
    54
    yes i did that but problem is iptables..
     
  5. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    707
    You said it works fine if you do it manually, what makes you think the problem is with iptables?
     
  6. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    707
    And why use post-mount as opposed to firewall-start?
     
  7. Zastoff

    Zastoff Regular Contributor

    Joined:
    Nov 21, 2017
    Messages:
    126
    Location:
    Sweden
    Custom scripts and configs enabled in gui?
     
    daviworld and kfp like this.
  8. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,781
    Location:
    United States
    check your syntax....MIPS routers use an earlier version of iptables. It's not --match-set, it's --set
     
    daviworld and kfp like this.
  9. alienx2

    alienx2 Regular Contributor

    Joined:
    Dec 10, 2015
    Messages:
    54
    post-mount or firewall-start… it doesnt work with iptables…

    Yes its enable.. post-mount is working to run with other command than iptables.

    but i did tested that line with manual working fine but i put iptables in post-mount or firewall-start is not working.
     
  10. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    707
    Are the scripts actually executed? You should be able to see this in the syslog.

    Also, maybe post the entire script? Sounds like you have other things going on in here and maybe it’s just exiting prematurely.
     
  11. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,256
    Location:
    Canada
    Don't use post-mount, your rule will be lost every time the firewall is reconfigured.
     
    daviworld likes this.
  12. alienx2

    alienx2 Regular Contributor

    Joined:
    Dec 10, 2015
    Messages:
    54
    yes the script executed works without iptables. after execute, rule is not on iptables list.

    thanks but firewall-start is not work with iptables i tried. like this:
    Code:
    #!/bin/sh
    
    iptables -I FORWARD -i br0 -m set ! --match-set NAME src,src -j REJECT
    with "chmod a+rx /jffs/scripts/*"
     
  13. alienx2

    alienx2 Regular Contributor

    Joined:
    Dec 10, 2015
    Messages:
    54
    @RMerlin @kfp
    I cant find in google and theres many similar problem with call iptables on script in this forum and still no solution.

    so now I found solution. all you need to use full path if you call iptables in custom scripts any working with firewall-start,nat-start,service-start,etc. Its only valid on any router with Asuswrt-merlin. here is the solution:

    Before:
    iptables
    -I FORWARD -i br0 -m set ! --match-set NAME src,src -j REJECT

    After:
    /opt/sbin/iptables -I FORWARD -i br0 -m set ! --match-set NAME src,src -j REJECT

    It can call iptables to rule.
     
  14. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    991
    I have never used full path with iptables. What do your rule supose to do?
    I'm not sure iptables include "REJECT" only DROP, logdrop and logaccept.
     
    Last edited: Jul 14, 2018
  15. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,756
    Location:
    UK
    There's your problem. You're not using the router's built-in version of iptables, and you're having to do that because you're not using the correct syntax as pointed out in post #7. It works from the command line because the default search path in the interactive environment includes entware (/opt/sbin), the custom scripts don't. Having different versions of the same command installed is a recipe for confusion.
     
    Last edited: Jul 14, 2018
  16. alienx2

    alienx2 Regular Contributor

    Joined:
    Dec 10, 2015
    Messages:
    54
    I use iptables better than Asus GUI for Mac Address Filter. my old router ac66u can handle 200+ devices instead of Radius Server. It wont slow down or freeze.

    my old router ac66u running old version iptables and with entware-ng.
    ..
     
  17. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,756
    Location:
    UK
    Exactly. The built-in iptables command is in /usr/sbin.
     
    alienx2 likes this.
  18. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,781
    Location:
    United States
    iptables is tightly coupled to the kernel....if it was believed it could be done safely, it would have been updated just like is done with other components like dnsmasq, miniupnpd, etc.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!