1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Block incoming site with iptables

Discussion in 'HyperWRT Firmware' started by EmmEff, Nov 25, 2005.

  1. EmmEff

    EmmEff Network Guru Member

    Can somebody tell me how to block an incoming site using iptables? I searched this forum and use the example ("iptables -I FORWARD ..." but it didn't work)

  2. EmmEff

    EmmEff Network Guru Member

    I tried the following but neither worked:

    iptables -I INPUT -s w.x.y.z -j DROP

    iptables -I FORWARD -s w.x.y.z -j DROP

    where w.x.y.z is the IP address of the host I wish to block.

    What am I doing wrong? Or better yet, where can I read up on how to do this? I understand the basic functionality of iptables, but I am not sure why my rules aren't being used to drop incoming connections from that IP.
  3. Judex

    Judex Network Guru Member

    If you use INPUT you have to define the number of the rule after the chain name (INPUT - in your case)), were the new one should be insterted. If you use -R INPUT you have to define the number of the rule, which should be replaced.

    You also could use -A, if you just want to append a new rule at the end of INPUT chain for example.

    Greetings, Judex
  4. EmmEff

    EmmEff Network Guru Member

    Unfortunately, this still does not work (either appending to the end of the INPUT chain or specifying -I INPUT 1). What am I doing wrong?
  5. Judex

    Judex Network Guru Member

    Are you using Thibor 2011?

    I upgraded to it from 1511 today and now it does not work for me either.


    I put following command to the "Firewall Script" window:

    "/usr/sbin/iptables -I INPUT 2 -p udp -s -j DROP"
    without the quotes

    Any hints anybody?

    Greetings, Judex

    PS: The same command entered in the "Run Command" window works correctly.

    EDIT2: The command is also executed correctly during reboot, if entered in "Edit Startup..." window.
  6. 4Access

    4Access Network Guru Member

    Hmm... both rules look ok. This host is actually on the internet right? What kind of a host is this? Is it actually a single computer or is it a website that could possibly have more than one IP address? Lastly, your internet connection is coming in through the WAN port on the WRT right?

    You could try the following rule instead of the two you used:

    iptables -t nat -I PREROUTING -s w.x.y.z -j DROP

    That will block all incoming connections from w.x.y.z both for the router itself and the clients behind it. If that doesn't work something else is wrong.

    No you don't. If you don't specify a number it will automatically insert the rule at the beginning of the chain.

    What are you trying to accomplish? You're rule should prevent the router from receiving UDP packets from as long as is on the WAN side of the router... It won't prevent any traffic from passing between & the PC's you have connected to the router.
  7. swinn

    swinn Network Guru Member

    Hmm I checked my firewall scripts for port forwarding and they don't seem to be working anymore either with Thibor 2011. It's like the firewall script isn't being ran.

    Edit: Actually now that I'm looking into this, I can't get my old firewall scripts to work at all even if I type them directly into the telnet session.
  8. Judex

    Judex Network Guru Member

    @4Access: Thanks for thinking over this.

    But the problem does not lay in the iptables logic or the rule itself. It is not submitted to the active chains, when inserted via the special Firewall Script window provided in Thibor 2011 and previous versions.

    Everything is ok when the command is executed through command shell or Startup Script window during reboot.

    This worked in ver. 1511 and something seems to be changed in 2011. Thats all.

    Regards, Judex

    Besides: Purpose of the rule is to block a DHCP server of my provider on WAN side, because I do not want to get all those denies logged. So I put a "DROP" instead of "logdrop" at the beginning of the chain.

Share This Page