I'd appreciate any help regarding iptables basics, which I was sure that I had grasped, but somehow things are not working. I checked in this forum and other forums but was not able to find anything to explain my problem:
For testing purposes, rather than putting my changes into a user script, I am just typing the commands directly into the ssh command-line interface. My iptables commands don't seem to have any effect. Is there some "reload" or "apply changes" command I need to do in order for my commands to take effect?
After entering a bunch of commands and not working, I tried entering the following very simple command (into the ASUS Merline command-line) to block my own laptop, at 192.168.1.31 from accessing the Internet at all:
I type "iptables -n --line-numbers -L |less" to verify that this rule is working, and get, in part:
(This is the entirety of Chain OUTPUT. I have omitted other chains; see below for the entire output.)
I verify that my computer is only connected to the router by my IP address at 192.168.1.31 by typing "ifconfig" (into my Kubuntu laptop, not the ASUS router):
I have turned off my wireless. If I have cut myself off successfully from the router and can't control it, I plan to turn on my wireless, which gets assigned a different IP address, and I should be able to access and control the router.
If the above command worked, then I should not be able to access the Internet at all. Instead, I am able to access any and all web pages I wanted.
I also tried the following commands (individually, each command entered after deleting the previous attempted rule from iptables, and confirming with the "iptables -L" listing):
or
Why am I still able to access the Internet? Why am I not cut off?
____________________________________________________
The following is background info and not necessarily directly relevant:
My router is the Asus RT-AC66U_B1, and I installed the firmware "RT-AC68U_384.18_0".
The iptables rules are intended to be used on my child's computer (I'm using my own computer just for testing), to limit the amount of time he can access certain gaming websites. He will run a command on his Windows 10 computer to turn on gaming access (I have to write that program, probably in Python), and my Python program will ssh into ASUS Merlin to enter an iptables rule allowing access for a limited time. (The specific --time-stop and --time-start times will depend on when exactly my son turns on gaming access, so that he can start his limited gaming access at a time of his choosing.)
I already had such a system running on his Linux desktop, but he has since changed to a Windows desktop, and I don't know how to set a time-limited firewall on Win10. So I figured I'd migrate the firewall rules from his no-longer-used Linux computer into the ASUS Merlin. I'm testing it on my own Linux laptop, and originally tried entering the following commands. This is to create three chains:
1. from the INPUT chain, it goes to the Parental_Deviceblock chain, which only takes action if the computer on the LAN is 192.168.1.31 (my own laptop): it goes to the Parental_Ipblock chain. Othewise it just goes back to the usual INPUT chain to run the rest of the INPUT chain filters.
2. the Parental_Ipblock chain only takes action if the packet came from 198.167.239.174 (just a sample website I want to try blocking -- tired.com -- but will be changed to the specific gaming sites I want to block). If it does, jump to Parental_Timeblock chain; otherwise just go back to the previous chain.
3. the Parental_Timeblock chain only takes action if the time is a certain time; in my test, it's 17:00 to 17:30. Yes, I know I have to specify it as UTC time. Yes, I made sure that it really was within that time limit when I tested (using the "date -u" command in ASUS Merlin).
So, I entered the following commands:
I had to make a choice of whether to block stuff for incoming packets or outgoing packets, and I chose incoming packets. Note that my rule precedes the "let all the packets through if there is already a connetion established", because I want to block the gaming website even when there is a connection. However, I am okay putting this into the OUTPUT chain (or should it be the FORWARD chain?), whatever is the correct chain to block access for certain websites.
It won't let me post the full output of iptables; I might have to put it into a reply to this entry or something.
Any help would be appreciated.
For testing purposes, rather than putting my changes into a user script, I am just typing the commands directly into the ssh command-line interface. My iptables commands don't seem to have any effect. Is there some "reload" or "apply changes" command I need to do in order for my commands to take effect?
After entering a bunch of commands and not working, I tried entering the following very simple command (into the ASUS Merline command-line) to block my own laptop, at 192.168.1.31 from accessing the Internet at all:
Code:
iptables -I OUTPUT -s 192.168.1.31 -j DROPI type "iptables -n --line-numbers -L |less" to verify that this rule is working, and get, in part:
Code:
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 192.168.1.31 0.0.0.0/0(This is the entirety of Chain OUTPUT. I have omitted other chains; see below for the entire output.)
I verify that my computer is only connected to the router by my IP address at 192.168.1.31 by typing "ifconfig" (into my Kubuntu laptop, not the ASUS router):
Code:
enxd8eb97b611f8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.31 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::c3ec:ef97:4748:6ab6 prefixlen 64 scopeid 0x20<link>
ether d8:eb:97:b6:11:f8 txqueuelen 1000 (Ethernet)
RX packets 4712764 bytes 4822350549 (4.8 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4008735 bytes 2913716835 (2.9 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 125860 bytes 10575839 (10.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 125860 bytes 10575839 (10.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0I have turned off my wireless. If I have cut myself off successfully from the router and can't control it, I plan to turn on my wireless, which gets assigned a different IP address, and I should be able to access and control the router.
If the above command worked, then I should not be able to access the Internet at all. Instead, I am able to access any and all web pages I wanted.
I also tried the following commands (individually, each command entered after deleting the previous attempted rule from iptables, and confirming with the "iptables -L" listing):
Code:
iptables -I INPUT -d 192.168.1.31 -j DROP
Code:
iptables -I FORWARD -d 192.168.1.31 -j DROPWhy am I still able to access the Internet? Why am I not cut off?
____________________________________________________
The following is background info and not necessarily directly relevant:
My router is the Asus RT-AC66U_B1, and I installed the firmware "RT-AC68U_384.18_0".
The iptables rules are intended to be used on my child's computer (I'm using my own computer just for testing), to limit the amount of time he can access certain gaming websites. He will run a command on his Windows 10 computer to turn on gaming access (I have to write that program, probably in Python), and my Python program will ssh into ASUS Merlin to enter an iptables rule allowing access for a limited time. (The specific --time-stop and --time-start times will depend on when exactly my son turns on gaming access, so that he can start his limited gaming access at a time of his choosing.)
I already had such a system running on his Linux desktop, but he has since changed to a Windows desktop, and I don't know how to set a time-limited firewall on Win10. So I figured I'd migrate the firewall rules from his no-longer-used Linux computer into the ASUS Merlin. I'm testing it on my own Linux laptop, and originally tried entering the following commands. This is to create three chains:
1. from the INPUT chain, it goes to the Parental_Deviceblock chain, which only takes action if the computer on the LAN is 192.168.1.31 (my own laptop): it goes to the Parental_Ipblock chain. Othewise it just goes back to the usual INPUT chain to run the rest of the INPUT chain filters.
2. the Parental_Ipblock chain only takes action if the packet came from 198.167.239.174 (just a sample website I want to try blocking -- tired.com -- but will be changed to the specific gaming sites I want to block). If it does, jump to Parental_Timeblock chain; otherwise just go back to the previous chain.
3. the Parental_Timeblock chain only takes action if the time is a certain time; in my test, it's 17:00 to 17:30. Yes, I know I have to specify it as UTC time. Yes, I made sure that it really was within that time limit when I tested (using the "date -u" command in ASUS Merlin).
So, I entered the following commands:
Code:
iptables -N Parental_Timeblock
iptables -F Parental_Timeblock
iptables -A Parental_Timeblock -m time --timestart 17:00:00 --timestop 17:30:01 -j DROP
iptables -A Parental_Timeblock -j RETURN
iptables -N Parental_Ipblock
iptables -F Parental_Ipblock
iptables -A Parental_Ipblock -s 198.167.239.174 -j Parental_Timeblock
iptables -A Parental_Ipblock -j RETURN
iptables -N Parental_Deviceblock
iptables -F Parental_Deviceblock
iptables -A Parental_Deviceblock -d 192.168.1.31 -j Parental_Ipblock
iptables -A Parental_Deviceblock -j RETURN
iptables -I INPUT -j Parental_DeviceblockI had to make a choice of whether to block stuff for incoming packets or outgoing packets, and I chose incoming packets. Note that my rule precedes the "let all the packets through if there is already a connetion established", because I want to block the gaming website even when there is a connection. However, I am okay putting this into the OUTPUT chain (or should it be the FORWARD chain?), whatever is the correct chain to block access for certain websites.
It won't let me post the full output of iptables; I might have to put it into a reply to this entry or something.
Any help would be appreciated.
