I created some firewall traffic rules using LuCI to block HTTP(S) access to my gateway and it worked as expected. However, I would like to use iptables as I can use the multiport option to specify both HTTP and HTTPS in one rule.
I've connected to the router via SSH, printed out the rules using iptables -S, placed the exact rules into the Custom Rules tab in LuCI, clicked Save and restarted the firewall with /etc/init.d/firewall restart.
However, the rules don't seem to be working as I can still reach the gateway's web-GUI.
These are the iptables rules:
iptables -A FORWARD -d 192.168.20.253/32 -p tcp -m multiport --dports 80,443 -m comment --comment "!fw3: Block HTTP(S) access to gateway" -j zone_wan_dest_REJECT
iptables -A FORWARD -d 192.168.20.253/32 -p udp -m multiport --dports 80,443 -m comment --comment "!fw3: Block HTTP(S) access to gateway" -j zone_wan_dest_REJECT
If I change append (-A) for insert (-I) so the rules are at the top of the chain it seems to work. What I don't understand is when the exact same rules made using LuCI are using append rather than insert they work. Any ideas what's going on here?