[SOLVED] Asus boot up wont call iptables command script

[alienx2]

Im having problem with Asus boot up cant call command one line.

i added to one script in /jffs/scripts/post-mount:

iptables -I FORWARD -i br0 -m set ! --match-set NAME src,src -j REJECT

(other lines like ipset,etc was working but ‘iptables' not working)

after boot up, i enter “iptables —list”… i wonder why its not on list..
even also tested with ‘sh run.sh’ not working on boot up.

i tried enter that line by manual.. its working and on list… any one help?

im running this script on Asus AC66U..

 

[kfp]

Have you set the execution bit?

chmod +x /jffs/scripts/post-mount

 

[alienx2]

Have you set the execution bit?

chmod +x /jffs/scripts/post-mount

yes i did that but problem is iptables..

 

[kfp]

yes i did that but problem is iptables..

You said it works fine if you do it manually, what makes you think the problem is with iptables?

 

[kfp]

And why use post-mount as opposed to firewall-start?

 

[Zastoff]

Custom scripts and configs enabled in gui?

 

[john9527]

im running this script on Asus AC66U

check your syntax....MIPS routers use an earlier version of iptables. It's not --match-set, it's --set

 

[alienx2]

You said it works fine if you do it manually, what makes you think the problem is with iptables?

And why use post-mount as opposed to firewall-start?

post-mount or firewall-start… it doesnt work with iptables…

Custom scripts and configs enabled in gui?

Yes its enable.. post-mount is working to run with other command than iptables.

check your syntax....MIPS routers use an earlier version of iptables. It's not --match-set, it's --set

but i did tested that line with manual working fine but i put iptables in post-mount or firewall-start is not working.

 

[kfp]

post-mount or firewall-start… it doesnt work with iptables…

Are the scripts actually executed? You should be able to see this in the syslog.

Also, maybe post the entire script? Sounds like you have other things going on in here and maybe it’s just exiting prematurely.

 

[RMerlin]

Don't use post-mount, your rule will be lost every time the firewall is reconfigured.

 

[alienx2]

Are the scripts actually executed? You should be able to see this in the syslog.

Also, maybe post the entire script? Sounds like you have other things going on in here and maybe it’s just exiting prematurely.

yes the script executed works without iptables. after execute, rule is not on iptables list.

Don't use post-mount, your rule will be lost every time the firewall is reconfigured.

thanks but firewall-start is not work with iptables i tried. like this:

#!/bin/sh

iptables -I FORWARD -i br0 -m set ! --match-set NAME src,src -j REJECT

with "chmod a+rx /jffs/scripts/*"

 

[alienx2]

@RMerlin @kfp
I cant find in google and theres many similar problem with call iptables on script in this forum and still no solution.

so now I found solution. all you need to use full path if you call iptables in custom scripts any working with firewall-start,nat-start,service-start,etc. Its only valid on any router with Asuswrt-merlin. here is the solution:

Before:
iptables -I FORWARD -i br0 -m set ! --match-set NAME src,src -j REJECT

After:
/opt/sbin/iptables -I FORWARD -i br0 -m set ! --match-set NAME src,src -j REJECT

It can call iptables to rule.

 

[octopus]

I have never used full path with iptables. What do your rule supose to do?
I'm not sure iptables include "REJECT" only DROP, logdrop and logaccept.

 

[ColinTaylor]

After:
/opt/sbin/iptables -I FORWARD -i br0 -m set ! --match-set NAME src,src -j REJECT

There's your problem. You're not using the router's built-in version of iptables, and you're having to do that because you're not using the correct syntax as pointed out in post #7. It works from the command line because the default search path in the interactive environment includes entware (/opt/sbin), the custom scripts don't. Having different versions of the same command installed is a recipe for confusion.

 

[alienx2]

I have never used full path with iptables. What do your rule supose to do?
I'm not sure iptables include "REJECT" only DROP, logdrop and logaccept.

I use iptables better than Asus GUI for Mac Address Filter. my old router ac66u can handle 200+ devices instead of Radius Server. It wont slow down or freeze.

There's your problem. You're not using the router's built-in version of iptables, and you're having to do that because you're not using the correct syntax as pointed out in post #7. It works from the command line because the default search path in the interactive environment includes entware (/opt/sbin), the custom scripts don't. Having different versions of the same command installed is a recipe for confusion.

my old router ac66u running old version iptables and with entware-ng.
..

 

[ColinTaylor]

my old router ac66u running old version iptables and with entware-ng.

Exactly. The built-in iptables command is in /usr/sbin.

 

[john9527]

my old router ac66u running old version iptables and with entware-ng.

iptables is tightly coupled to the kernel....if it was believed it could be done safely, it would have been updated just like is done with other components like dnsmasq, miniupnpd, etc.