Applying firewall rules

I've tried adding rules to the firewall to block some IP's/hosts but they don't get blocked.

I pasted the rules from here:

Also, following the Wiki, I installed iptables-mod-nat-extra :

DNS/IP block rules using dnsmasq / iptables are available in data/openwrt folder.
These rules are focused on latest OpenWrt release (Chaos Calmer 15.05.1).

Requires package "iptables-mod-nat-extra" for port 53 (DNS) redirect rule from dnsmasq.conf.
dnsmasq.conf is bypassed if you use DNSCrypt on client machine (recommended) so use hosts before DNSCrypt exit point.

DNSCrypt is also available in OpenWrt repo, but may be slow and CPU hungry on average routers, stay with the PC client as recommended.

I then restarted the firewall service firewall restart but nothing gets blocked. I rebooted the router, but again - nothing gets blocked.

So what am I doing wrong?

A few notes:

  1. The latest release (as of my posting) is 18.06.4, not 15.05.1
  2. No clue what those IPs are
  3. No clue why these IPs are not added using the normal method
  4. No clue why you need iptables-mod-nat-extra (maybe it was needed in 15.05.1)
  5. No clue why you believe these rules didn't work
  6. No clue if you installed DNSCrypt
  • What are you actually trying to block...DNS...or something else?
  • Why do you think the rules didn't work (i.e. you expected something to stop, or you could actually still ping, browse, etc. - to the IPs)? Basically, describe how you know.
  • What version of OpenWrt are you running?

I'm lost at why this script was updated a few days ago; but has information noting a version release 4+ years old, as recent...


Sorry for the confusion.

I want to block the IP's and and domains from those two lists (dnsmasq.conf & firewall.user) so that Windows can't send telemetry data.

I know they aren't being blocked because I can still ping. I'm using the latest snapshot for my device - GL-AR750S (

Is there any easier and straightforward way to block those IP's/domains, because that's all I really need.

  • For the domains, yes. I'd personally just install Adblock and place them in the blacklist. This would allow me to block other domains/tracking later without a large fuss.
  • IPs...those firewall.user rules should have worked, if you tested from a client in LAN (FORWARD); and not the router itself (OUTPUT).

You didn't mention if the DNS lookups are blocked when querying the OpenWrt's dnsmasq instance. If not, I believe that's because the dnsmasq.conf additions are incorrect syntax...or incomplete, rather. It's also not advisable to add raw configs and rules; but use OpenWrt's UCI/LuCI web GUI interfaces instead. The UCI file to edit for dnsmasq settings you desire is /etc/config/dhcp. The firewall - /etc/config/firewall.

BTW, snapshots update every ~24 hours, I'd also upgrade to the latest snapshot before installing more packages.


Tested again and IP's worked this time. No idea what was wrong the first time.

As for Adblock - I've tried that a few days ago, but for some reason I was leaking DNS requests when enabled (my router is setup to connect to a VPN via Wireguard). I'll be playing with Adblock again.

Thanks for the input!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.