My goal is to block my iPad from connecting with specific IPs. Right now I do this on my IPFire, but I want to do this one step earlier on my LEDE wifi-router.
I tried this through luci with custom iptable entries, but it seems the entries get ignored..
It won't work because the packages have already been allowed by other rules before reaching your.
You should use forwarding_lan_rule as already mentioned if you want to write custom rules.
Or you can add Traffic Rules using the graphical luci interface or uci.
uci add firewall rule
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].proto='tcp udp'
uci set firewall.@rule[-1].name='BlockIP'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].dest_ip='17.173.254.223'
uci commit firewall
/etc/init.d/firewall reload
Thank you. I have tried it now also with forwarding_lan_rule as suggested, same negative result. I also tried your suggestion and checked /etc/config/firewall whether it got saved correctly. Unfortunately, same result.
Are you guys sure, that this works? It seems iptables is completely ignored.
I am currently reading that you have to enable the iptables in /etc/sysctl.conf ...I am trying this as I write this.
UPDATE: net.bridge.bridge-nf-call-iptables=1 did not help, but I received an error (unknown key) while doing sysctl -p
Here my firewall rules:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config rule
option target 'REJECT'
option name 'BlockIP'
option proto 'all'
option src 'lan'
option dest 'wan'
option dest_ip '17.173.254.222'
I'm not sure what's your setup, but @jwoods and my proposed rules only works if NAT traffic flows through the LEDE router. If iPad and IPFire are both behind the LEDE router, those rules won't work.
For what its worth, LEDE firewall rules only works in the following setup: