Dropping packets from a specific IP


I'm trying to block a specific IP from my system behind a OpenWRT router.
Is this rule, which I want to add to /etc/config/firewall, correct?

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option family 'ipv4'
        option src_ip 'AA.BB.CC.DD'
        option dest_port '80 443'
        option target 'DROP'
        option name 'Block IP from the specific address'
        option start_time '00:00:00'
        option stop_time '23:00:00'
        option enabled '1'

where AA.BB.CC.DD is a specific IP address that I wanted to block from my web server, unless it's between 11pm - 12am, in which case, it's allowed to go through into the web server.

Thank you.

Just a Side-Note, you might want to look into giving the MAC address of the device with that IP address a static DHCP assignment, as otherwise the critical machine might simply try to get a different address from the DHCP server to slide step your attempt at controlling its internet access attempts. I note that this is not going to give only partly more control, as that machine might use a different MAC address, but that will be a somewhat higher hurdle to clear.


Thanks for your response and advice.

Is my rule correct then?

Well, since I never used such a rule myself, I can not really judge, but this seems like something that should be easy to test, no?

Also, once you have a working rule, consider to also apply a matching rule in the reverse direction and also add UDP....

1 Like