I'm trying to enable a custom iptables rule in the /etc/firewall.user configuration file, without any success.
My iptables rule is:
iptables -I FORWARD -s 192.168.1.213 -d 0.0.0.0 -j DROP
I've tried various combinations, INPUT, OUTPUT with the corresponding interface(e.g. br-lan and or eth0:2), but with no success. Do I have to incorporate 'WAN' and 'LAN' in the iptable rule?
Grateful for any help. Thanks..
"Do you want to block access to the router or the Internet?"
I want to block access to the internet.
"Have you properly attached interfaces to the firewall zones"
"Is the firewall service enabled and running"
Yes. I've used the web interface to configure port forwarding and traffic rules which work.
The custom rules don't fit well the firewall service configuration.
That's the last resort workaround that you shouldn't normally use.
Better utilize native syntax:
uci -q delete firewall.filter_fwd
uci set firewall.filter_fwd="rule"
uci set firewall.filter_fwd.name="Filter-Forward"
uci set firewall.filter_fwd.src="lan"
uci set firewall.filter_fwd.src_mac="00:11:22:33:44:55"
uci set firewall.filter_fwd.dest="wan"
uci set firewall.filter_fwd.proto="all"
uci set firewall.filter_fwd.target="REJECT"
uci commit firewall
It helps avoid race conditions and works for both IPv4 and IPv6.
Thank you for the code snippet. I tried it but it didn't work. Seems like the only method that works is if I create the rules for the device by using the web gui at network/firewall/traffic-rules page.
What I was trying to achieve was to get the rules for my device in the /etc/firewall.user file, were I could then alter it via a simple sed command that would be run via cron, in effect a timer based on off internet kill switch for one device. I didn't want to risk using the main /etc/config/firewall file, but had no choice in the end.
I succeeded in the end by adding the device information at the very bottom of the /etc/config/firewall file with the 'option enable '1' ' at the very bottom of the file. Then it was easy to change that one line from '1' to '0' plus a firewall restart after every edit, to be able to allow or block internet access based on time of day.
I'm sure there is a better and safer way than messing around with cron, sed on the main config file..
Thanks for your help though.
You didn't incorrectly use
@reboot with cron in an embedded device - did you?
(I notice the Wiki mentions this; but it's not possible [on an embedded device]. Other forum posts mention it, and I recently had to try it - so I know it to be so.)
Such rules can go in
/etc/rc.local - or the above mentioned
firewall.user file (if a firewall rule respectively).
No I did this:
00 6 * * * /bin/sed -i '$s/1/0/' /etc/config/firewall && /etc/init.d/firewall restart
59 23 * * * /bin/sed -i '$s/0/1/' /etc/config/firewall && /etc/init.d/firewall restart
The very last line in the /etc/config/firewall file is:
option enable '1'
This current config works, but I'm sure there must be a better more elegant way to do this. I would prefer to use the /etc/firewall.user file, but whatever I do in that file does not work.
You can use the UCI command to enable/disable it...unfortunately, I donno the command-line method, though.
@vgaetera, can you help 'em out?
Also, did you try
Change that rule to
iptables -I FORWARD -s 192.168.1.213/32 -d 0.0.0.0/0 -j DROP
and it will work.
You are doing it wrong.
There's the proper way to apply time restrictions and filter established connections.
Thanks for the links to the proper way to do this I knew there was a better way to get this done. However when I look at the screen shot as seen from the time restrictions
page, I don't have those time based settings present in my webgui. Perhaps it has something to do with what router one has.
But I like this solution.
My hack is working for the time being, but I'd like to have these parental control options available on my firewall settings.
Ignore the screenshot, it's obsolete.
Time restrictions should be on the separate tab while editing the rule.
Or, simply run the command-line section below and it should create the rule that you can edit.
It's significantly more reliable than the cron-based hack.
Is it possible to have different stop and start times, depending on what day of the week it is? I see from the command line option you can choose start and stop for various days of the week, but what if you wanted to have a later stop time on the weekends for example.
I want to have earlier stop times on schooldays, but on the weekend the stop time could be later. This would only apply for one device on the LAN
Limit the existing firewall rule to specific week days.
Then add another rule with different week days.
You can use the code snippet from the wiki as an example.