[SOLVED] RT-AC87U 380.61 Respond Ping Request from WAN

[amrhf]

Hi all,

I have enabled on the router Respond Ping Request from WAN in Firewall - General
and I want to enable Broadband Quality Monitor from thinkbroadband.com
but I do not want the router to respond to all ICMP request but only thouse from
thinkbroadband.com that are comming from IP's 80.249.99.164/28 and 2a02:68:1::164.

Is ther any way to achieve that?

My guest would be ssh into the router then add firewall rule, but I am not versed in
adding firewall rules and I do not want to break anything

THank you in advance.

 

[Martineau]

.... I do not want the router to respond to all ICMP request but only thouse from
thinkbroadband.com that are comming from IP's 80.249.99.164/28 and 2a02:68:1::164.

Is ther any way to achieve that?

As a test using 'logaccept' (you can change it later to ACCEPT) can you try adding the two rules to allow unsolicited PING requests?

iptables  -I FORWARD -i `nvram get wan0_ifname` -s 80.249.99.164/24 -p ICMP --icmp-type 8 -j logaccept

ip6tables -I FORWARD -i `nvram get wan0_ifname` -s 2a02:68:1::164   -p ipv6-icmp -j logaccept

iptables  -nvL FORWARD --line -t filter
ip6tables -nvL FORWARD --line -t filter

 

[amrhf]

@Martineau Thank you.

I have turned OFF or rather to "No" Respond Ping Request from WAN in Firewall - General.

And tried your rule on IPv4:
# iptables -I FORWARD -i `nvram get wan0_ifname` -s 80.249.99.164/24 -p ICMP --icmp-type 8 -j ACCEPT

# iptables -nvL FORWARD --line -t filter
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT icmp -- eth0 * 80.249.99.0/24 0.0.0.0/0 icmptype 8
2 0 0 DROP ah -- br0 eth0 0.0.0.0/0 0.0.0.0/0
3 0 0 DROP esp -- br0 eth0 0.0.0.0/0 0.0.0.0/0
4 0 0 DROP udp -- br0 eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
5 0 0 DROP udp -- br0 eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:500
6 0 0 DROP udp -- br0 eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
7 0 0 DROP 47 -- br0 eth0 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP tcp -- br0 eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
9 296 131K logaccept all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
10 0 0 logdrop all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
11 0 0 logdrop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state INVALID
12 0 0 logaccept all -- br0 br0 0.0.0.0/0 0.0.0.0/0
13 0 0 SECURITY all -- eth0 * 0.0.0.0/0 0.0.0.0/0
14 0 0 logaccept all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
15 14 632 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0


But it does not work


Should there be another command, how would I make this rule permanent?

 

[Martineau]

But it does not work
Should there be another command, how would I make this rule permanent?

Not much point making it permanent if it doesn't work? ...but you can add the commands to firewall-start /nat-start to make them permanent.

Doh! the rule should be added to the INPUT chain?

Otherwise it may be necessary to try

iptables -I INPUT   -i `nvram get wan0_ifname` -j LOG
tail -f /tmp/syslog.log

 

[amrhf]

So I have tried:
iptables -I IMPUT -i `nvram get wan0_ifname` -s 80.249.99.164/24 -p ICMP --icmp-type 8 -j logaccept

and this:
iptables -I IMPUT -i `nvram get wan0_ifname` -s 80.249.99.164/24 -p ICMP --icmp-type 8 -j logaccept

but I get:
iptables: No chain/target/match by that name.


I have basic knowledge of Shorewall, byt quick search of THIS forum (Asuswrt-Merlin) did not yield any
answers So, is it possible to perhaps install Shorewall on Merlin?

I have no physical access to this router at this moment as it is thousand miles away and my old man would not be happy if I screw up his connection...
so I can not afford the get it wrong ......Quick search found this:
https://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html

iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 80.249.99.164/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s 80.249.99.164/24 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Would that work for what I needed?

 

[john9527]

iptables -I IMPUT

There is no chain named IMPUT......try INPUT

 

[amrhf]

Thank you very much

I see, good source to start with iptables
http://www.netfilter.org/documentation/index.html

or is there somewhere else I should look first?

 

[amrhf]

There is no chain named IMPUT......try INPUT

iptables -I INPUT -i `nvram get wan0_ifname` -s 80.249.99.164/24 -p ICMP --icmp-type 8 -j logaccept
How would I save this rule so it does not get lost when the router get restarted?