LEDE noob here. Sharing my iptables (includes blocking modem and router access, firewall, Steam and some games)

Hi. Not an expert at all when it comes to iptables, I had to google a lot so I decided to share my current iptables, maybe get some feedback but the main point would me make someone else out there spend less times looking for these rules. Specially the ones to block router access and only allow ssh/http access to one MAC address.

Here are the iptables. Copy and paste this under firewall/custom rules:

Now my question is: Would it be possible to allow access to the modem to one MAC Address? Basically what I'm trying to achieve is being able to reset the router without having to go downstairs and wake up my family in the process. I'm using a script I took from the OpenWRT forums to change the Mac Address on every reset, but I still need unplug/plug the modem. If that's not possible, maybe theres another way?
I was thinking yesterday, what ifwe could configure a script (preferible should be triggered before the router resets, so we save time, while the modem resets, the router resets too and gets a new mac address) on the router to access the modem just to reboot it. I saw theres a plugin called ModemAccess (iirc). Yay or nay?

Anyways here are the rules that I tried to allow access to the modem to one mac address, needless to say I didn't succeed.

Is it possible to allow only one mac address access the modem while blocking everyone else?

Ive tried these:

iptables -A FORWARD 1 -d -m mac --mac-source 11:AA:BB:CC:22:33 -j ACCEPT iptables -A FORWARD 2 -d -j ACCEPT iptables -A FORWARD 3 -d -j DROP

iptables -A FORWARD 1 -d -j DROP iptables -A FORWARD 2 -d -m mac --mac-source 11:AA:BB:CC:22:33 -j ACCEPT iptables -A FORWARD 3 -d -j ACCEPT

iptables -I INPUT -d -m mac ! --mac-source 11:AA:BB:CC:22:33 -j REJECT --reject-with tcp-reset

Well that's pretty much it sorry for the long post.
IOne thing I would like to see changing in the future is seeing more step by step tutorials on YouTube. I'm not criticizing at all don't get me wrong! But for people with no experience like me that want to finally jump to OpenWRT after years using DD-WRT, those tutorials would help. I installed dnscrypt and the script for the mac. If you guys are ok with it I could make detailed youtube tutorials to help people rotect their routers. Something often overlooked.

Sorry for the stupid quesetion:
What is your use case?

I think in your description modem is the router.
If so why do you want to change the mac address of the modem and if so which Interface LAN or WAN.
https://pastebin.com/AnQKQLrx A lot of this rules could be set in the /etc/config/firewall you do not need a firewall config file in iptables syntax only for special use cases. On Lede/OpenWrt fw3 will set a lot of this rules

1 Like

Why do you want the device to change MAC?

To renew the IP. Even if I reset the modem, I dont get a new IP unless I change the wan mac address.

EDIT: Mmm I dont want to change the wan mac, Im already doing it with the script I mentioned (this one, if you are curious Renew WAN ip address).
What I need to do next is to allow access to the modem only to one computer's mac address for security reasons (Modem gui shows too much info). It works exactly like that to block everyone out of the router, I thought that maybe the same concept could be applied to an IP (the modem IP).

Iptables are processed in order.
First you put the wildcard ACCEPT before the DROP.
Then you put the wildcard DROP first, so nothing will ever get passed that.

Try using your rule 1, then rule 3 and ignore the wildcard ACCEPT.

Like this?:
iptables -A FORWARD 1 -d -m mac --mac-source AA:BB:AA:BB:AA:BB -j ACCEPT
iptables -A FORWARD 2 -d -j DROP

If so, no luck.

When you said "it didn't work" could you ever connect to your modem?

You might need to run TCPDUMP to find out if the mac addr gets mangled by the time packets get to FORWARD.