OpenWrt Forum Archive

Topic: I can't get postrouting_rule to REJECT

The content of this topic has been archived on 15 Jan 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi, trying to set up firewall.  I like to have a list of internet IPs that I want to not be accessed from in the LAN.  Here is what I have set, using 1.2.3.4 as example of an IP to block:

iptables        -A output_wan           -p tcp -d 1.2.3.4 -j DROP
iptables -t nat -A postrouting_rule     -p tcp -d 1.2.3.4 -j DROP

This works, but using DROP makes it so I am forced to wait for timeout in a web-browser to get error message.  So I try:

iptables        -A output_wan           -p tcp -d 1.2.3.4 -j REJECT
iptables -t nat -A postrouting_rule     -p tcp -d 1.2.3.4 -j REJECT

I'd like to use REJECT, but it's not working.  I'm not iptables master sad ... shouldn't that work?  The output_rule line works, but when it gets to postrouting_rule, it says iptables: Invalid argument.  Any help? Thanks!

Running a WRT54G v3.1 with Kamikaze 7.09.

(Last edited by qwillio on 15 Oct 2007, 00:01)

REJECT is not valid in the nat table.    If you already reject the packet in the filter table you do not need to do anything to it in the nat table.

If you look at the packet counts after dropping packets with the first configuration you will see only one of the rules ever executes.

Thanks for your post. smile

I'm not quite sure what you mean.  Here is what I find:

In the first example in my first post, I use JUST the output_wan rule, and the IP's are blocked only when connecting from within the router (SSH).  Without the postrouting_rule, I can still access the IP from computers connected to router. (which is I think what you are saying?)

Since I want to REJECT the IP's for computers connected to the router ... using the output_wan rule alone will not do enough for me.

So ... how do I have it REJECT to clients trying to access those IPs?

(Last edited by qwillio on 15 Oct 2007, 16:43)

help? sad

Add the REJECT rule to the forwarding_wan chain as well as the output_wan chain

Just some clarification.

There are 3 tables in iptables

filter
nat
mangle

there are meant for different things and come into play at different times.

quick synopsis

mangle - for mangling packets, used to do the ADSL mtu stuff here.

nat - this is for setting up nating

filter - this is where all filtering is done.


Note for tcp on the SYN packet hits the nat table.....

The discussion might have continued from here.