Firewall not blocking IP in iptables

I am trying to block everything to/from a certain IP address, as an example. In Network>Firewall>Custom Rules, I have the following under all of the instruction comments:

iptables -A INPUT -s -j DROP
iptables -A OUTPUT -d -j DROP

I've restarted the firewall, and the system log shows a message regarding the firewall being restarted.

If I go to Status>Firewall, I see the rule I created at the bottom of the INPUT/OUTPUT chains where they should be. They are last (at the bottom) after all of the default rules for things like LAN and WAN targets.

However, I can still ping the IP address from both my router and computer, and the firewall status always shows 0 packets matching the rule. Did I configure it wrong in some way?

Aren't there rules before your's that are accepting the packets?

You custom iptables rules should probably be put in a user chain such as "input_rule", "input_lan_rule", "input_wan_rule", "output_rule", "output_lan_rule", "output_wan_rule","forwarding_rule", "forwarding_lan_rule" or "forwarding_wan_rule".

But why don't you configure two Network>Firewall>Traffic Rules in instead?

I changed INPUT/OUTPUT to input_wan_rule/output_wan_rule and it still doesn't block it.

And if I go to Network>Firewall>Traffic Rules, I don't see any buttons or fields to add firewall rules; only the ability to move/edit/delete existing rules. And then at the bottom fields to open ports, create a new forward rule, and source NAT.

I've also tried

iptables -I INPUT 1 -s -j DROP
iptables -I OUTPUT 1 -d -j DROP

which puts the rules at the very beginning (instead of after everything else in the INPUT/OUTPUT chains) but that doesn't work either

Edit: That does work apparently, but only blocks output when pinging FROM the router itself. And unsure if it works on incoming at all yet

INPUT and OUTPUT chain only checks packets that are sent to/emitted by the router itself. For checking packets forwarded by router, use FORWARD chain, or more specifically, forwarding_wan_rule and forwarding_lan_rule .

1 Like

You can edit the rule and specify source or destination address after you have added it.

1 Like