1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access Restriction Not Working E3000 Shibby

Discussion in 'Tomato Firmware' started by alazyworkaholic, Nov 26, 2012.

  1. alazyworkaholic

    alazyworkaholic Serious Server Member

    Tomato Firmware 1.28.0905 MIPSR2-079V K26 USB Big-VPN
    on a Linksys E3000.
    Access Restriction doesn't work.

    I went to access restriction and configured thus:

    Schedule: Everyday, 23:00 - 6:30
    Normal Access Restriction
    Applies to all computers / devices
    Block all internet access.

    I enabled that, & even rebooted the router, but I could still surf the web.

    If it matters, from the page "Access Restriction Overview" a message box appears below the rules stating "iptables-restore: line ## failed" where ## can change depending on the rule. At the moment it's 57.
    That's the only enabled rule. I tried this at night while access should be restricted, and checked Tomato knew the correct time.
    Please let me know what I'm missing in able to limit web browsing after 11 pm. Thanks.
     
  2. MIkey0124

    MIkey0124 Networkin' Nut Member

    Are u using a vpn? If so i have the same problem. When vpn is enabled access restrictions and web mon wont work for some reason. I posted a thread about 2 months ago and didnt get any replys with solutions
     
  3. gfunkdave

    gfunkdave LI Guru Member

    See if the problem manifests in Toastman.

    I have a VPN client and server running on my E3000 running Toastman, and access restrictions work fine.
     
  4. MIkey0124

    MIkey0124 Networkin' Nut Member

    gfunkdave,

    I tryed installing Toastmans version on Tomato and still it is not working. No access restrictions or web monitor when the VPN is running
     
  5. alazyworkaholic

    alazyworkaholic Serious Server Member

    Bump. No solution yet. Please help!
     
  6. alazyworkaholic

    alazyworkaholic Serious Server Member

    By the way, I found this:
    Code:
    [root@E3000 /]$ cat /tmp/etc/iptables.error
    *mangle
    :pREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT
    *nat
    :pREROUTING ACCEPT [0:0]
    :pOSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :WANPREROUTING - [0:0]
    -A PREROUTING -d 192.168.25.22 -j WANPREROUTING
    -A PREROUTING -i vlan2 -d 192.168.1.1/255.255.255.0 -j DROP
    -A WANPREROUTING -p icmp -j DNAT --to-destination 192.168.1.1
    -A WANPREROUTING -p tcp --dport 54323 -j DNAT --to-destination 192.168.1.100:21
    -A WANPREROUTING -p tcp --dport 54321 -j DNAT --to-destination 192.168.1.100:22
    -A WANPREROUTING -p tcp --dport 54322 -j DNAT --to-destination 192.168.1.100:5900
    :upnp - [0:0]
    -A PREROUTING -d 192.168.25.22 -j upnp
    -A POSTROUTING -o vlan2 -j MASQUERADE
    -A POSTROUTING -o br0 -s 192.168.1.1/255.255.255.0 -d 192.168.1.1/255.255.255.0 -j SNAT --to-source 192.168.1.1
    COMMIT
    *filter
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -N shlimit
    -A shlimit -m recent --set --name shlimit
    -A shlimit -m recent --update --hitcount 21 --seconds 60 --name shlimit -j DROP
    -A INPUT -p tcp --dport 22 -m state --state NEW -j shlimit
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
    -A INPUT -p tcp --dport 8080 -j ACCEPT
    -A INPUT -p tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp --dport 21 -j ACCEPT
    -A INPUT -p tcp --dport 51515 -j ACCEPT
    :FORWARD DROP [0:0]
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    :wanin - [0:0]
    :wanout - [0:0]
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i vlan2 -j wanin
    -A FORWARD -o vlan2 -j wanout
    -A FORWARD -i br0 -o vlan2 -j ACCEPT
    :upnp - [0:0]
    -A FORWARD -i vlan2 -j upnp
    -A wanin -p tcp -m tcp -d 192.168.1.100 --dport 21 -j ACCEPT
    -A wanin -p tcp -m tcp -d 192.168.1.100 --dport 22 -j ACCEPT
    -A wanin -p tcp -m tcp -d 192.168.1.100 --dport 5900 -j ACCEPT
    COMMIT
    
    Can anyone interpret it for me?
    Is there maybe an optware package I need to install to provide a functionality called by iptables-restore?
     
  7. MIkey0124

    MIkey0124 Networkin' Nut Member

    Are u having the same problem as me with it not working with the vpn running
     
  8. Jacques

    Jacques Addicted to LI Member

    you must to use two rules
    1.Schedule: Everyday, 23:00 - 23:59
    2.Schedule: Everyday, 00:00 - 6:30
     
  9. alazyworkaholic

    alazyworkaholic Serious Server Member

    My Build is Big-VPN, but I never activated the VPN. Checking the status says its not running.
    About the rules, that doesn't fix it.
    I set a rule to prevent me from accessing the internet right now (only rule), enabled & saved it, & here I am.

    Any other ideas? Thanks,
     
  10. Jacques

    Jacques Addicted to LI Member

    Never had problems with Access Restriction with Toasman firmware on my E3000. Or try last Shibby 104 firmware. And don't forgot to erase nvram...
     
  11. alazyworkaholic

    alazyworkaholic Serious Server Member

    Nutz, flashing makes me nervous. The only time I did it was to replace the stock firmware. If you have your own E3000, from one tomato version to another, is it as simple as disabling JFFS, then uploading the file while making sure the "After flashing, erase all data in NVRAM memory" box is ticked? Please let me know if there's any command line stuff, if a 30/30/30 is necessary, or any other complications.
    Will I have to reinstall all my optware packages / bootstrap optware?

    Thanks,
     
  12. gfunkdave

    gfunkdave LI Guru Member

    No, you just use the Tomato GUI. I rarely erase NVRAM, even. Though I usually just upgrade within one fork (from a Toastman mod to another Toastman, say).

    Nothing to be nervous about.
     
  13. alazyworkaholic

    alazyworkaholic Serious Server Member

    I updated the firmware to v 104. The access restriction works now. Thanks!
     

Share This Page