Hi and thank you for this forum and development here at the LEDE project. I am not new to LEDE or iptables but I'm definitely no pro, and my current issue is showing me that.
Here's some info on my build and hardware and the issue I'm having. I am running DavidC's build r5621 for the WRT1900AC V2. I have been able to create some iptables rules successfully but I'm having trouble creating one now for a situation. I have a outdoor ip cam connected wirelessly to the router and it is sending and receiving to an internet address, and I would like to block this traffic. Not sure what or why it's sending but I just want it communicating locally. The ip cam is connected to br-lan via the 2.4ghz wifi adaptor and assigned an Ip of 192.168.3.250, the address it is sending to is 104.250.152.26. The wan interface is eth1.2 So In putty I typed
iptables -A OUTPUT -o eth1.2 -s 192.168.3.250 -d 104.250.152.26 -j DROP, and hit enter
iptables -A INPUT -i eth1.2 -s 104.250.152.26 -d 192.168.3.250 -j DROP, and hit enter
The rules show up in the Luci firewall list but it shows packet and byte count as 0 even though in the connections graph and syslog packets are still coming in and out. I've tried various other iptables variations after deleting the previous and none have worked. What am I missing or doing wrong? Any help would be appreciated.
You should likely enter these rules in UCI or on the LuCI web GUI...
It appears you appended the rules .There is very complex zoning taking place with FW3 firewall on LEDE. So...you're rules are probably at the bottom the INPUT and OUTPUT tables...but after the various chains created to handle zone-based traffic.
See this page to properly add firewall rules in LEDE: https://openwrt.org/docs/guide-user/firewall/firewall_configuration
As @lleachii described, sticking your rules into UCI is the best way to allow LEDE to build its rules and add yours into its chains.
But if you want to manually add them on command line, you can try the following to fit them into the default chains:
iptables -A forwarding_lan_rule -s 192.168.3.250 -d 104.250.152.26 -j DROP
iptables -A forwarding_wan_rule -s 104.250.152.26 -d 192.168.3.250 -j DROPThank you both for your replies. It wouldn't work when I entered the rules in UCI but I took the rules that phuque99 recommended and placed them in /etc/firewall.user file and restarted firewall and that worked.
But now I noticed In the Luci connections graph that I have about 30 or so connections from the ip cam to my router on dns port 53. Don't know what's up with that. I could understand 1 or 2 but over 30!
Could be hacked...
Wouldn't doubt it, it's one of those cheap Chinese models. My aunt gave it to me. If it's free it's for me, I couldn't resist!
Time to break out the pentest drive and do some investigating.
Querying webcams on https://www.shodan.io is kinda scary