Blocking specific target IPs - iptables not working?


My goal is to block my iPad from connecting with specific IPs. Right now I do this on my IPFire, but I want to do this one step earlier on my LEDE wifi-router.

I tried this through luci with custom iptable entries, but it seems the entries get ignored..

Any one has a solution to this?

Thanks for any hints,


iptables -A forwarding_lan_rule -d bad_ip -p udp -j reject
iptables -A forwarding_lan_rule -d bad_ip -p tcp -j reject

I have entered the following in LUCI:

iptables -A CUSTOMFORWARD -d -j reject

Did not work. The pings from the iPad are still hitting my IPFire behind the router...

I have also tried

iptables -A FORWARD -d -j reject

without success.

It won't work because the packages have already been allowed by other rules before reaching your.

You should use forwarding_lan_rule as already mentioned if you want to write custom rules.

Or you can add Traffic Rules using the graphical luci interface or uci.

uci add firewall rule
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].proto='tcp udp'
uci set firewall.@rule[-1].name='BlockIP'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].dest_ip=''
uci commit firewall
/etc/init.d/firewall reload

Thank you. I have tried it now also with forwarding_lan_rule as suggested, same negative result. I also tried your suggestion and checked /etc/config/firewall whether it got saved correctly. Unfortunately, same result.

Are you guys sure, that this works? It seems iptables is completely ignored.

Post your firewall rules...

I am currently reading that you have to enable the iptables in /etc/sysctl.conf ...I am trying this as I write this.
UPDATE: net.bridge.bridge-nf-call-iptables=1 did not help, but I received an error (unknown key) while doing sysctl -p

Here my firewall rules:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config rule
	option target 'REJECT'
	option name 'BlockIP'
	option proto 'all'
	option src 'lan'
	option dest 'wan'
	option dest_ip ''

I'm not sure what's your setup, but @jwoods and my proposed rules only works if NAT traffic flows through the LEDE router. If iPad and IPFire are both behind the LEDE router, those rules won't work.

For what its worth, LEDE firewall rules only works in the following setup:

iPad -> LEDE router ->

Thank you, it‘s really strange...

My setup is:

iPad -> LEDE router -> IPFire ->