1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Iptables

Discussion in 'Tomato Firmware' started by nico974_64, Nov 14, 2017.

  1. nico974_64

    nico974_64 New Member Member

    Hello all,

    My linksys router is flashed with tomato usb firmware. It is configured for open VPN client.

    I asked my VPN provider for a script to break the uplink when the connection to the VPN server is lost. Otherwise, if the router loses connection to the VPN, it becomes visible with the IP address of my ISP.

    My VPN provider gave me this to put into the router firewall :

    iptables -I FORWARD -i br0 -o vlan2 -j DROP

    It does not work, when I stop the openVPN client, I am still connected to the internet through my box.

    I do not know the linux commands at all and I do not really know if this script does what I want… Could you explain to me and tell me if it does what I want ?

    Thanks !
     
  2. Bunsen

    Bunsen New Member Member

    Try this:
    iptables –I FORWARD –i br0 –o $(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}') –j DROP

    The command says:
    -I FORWARD = Insert the following rule to the FORWARD table
    -i br0 = For traffic coming from the br0 interface [inside your router]
    -o $(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}') = leaving the router through the WAN interface
    -j DROP = drop the packets [do not let it pass]

    The "fix" to the command they provided is to not assume your wan interface is vlan2, instead it will read from your router config to figure out what it is. [there are other ways of getting the wan interface, but the may be build specific - i find the above line is the most portable]

    Alternatively you could reverse the logic:
    iptables -I FORWARD ! -o tun+ -j DROP

    The command says: If the traffic is not going out a tunnel interface, drop it.
     
  3. nico974_64

    nico974_64 New Member Member

    Hi bunsen,

    Thanks a lot for your answer. I will try your script and let you know if it works.
     
  4. nico974_64

    nico974_64 New Member Member

    Hi bunsen,

    It works ! thanks a lot.

    However, I have another question : the command you gave to me drops the packets coming from upstream (internet box). But does it drop the packets coming from downstream ?

    Let me explain, I have a bittorrent client running on a NAS. For every torrent file I have Download and Upload.

    So, the command you gave to me stops download (great !), but I would like to stop upload in the same time...

    Thanks again.
     
  5. Bunsen

    Bunsen New Member Member

    tcp is a two-way conversation. If one way gets blocked, the other cannot work.
     
  6. nico974_64

    nico974_64 New Member Member

    Thanks again Bunsen for your help.
     
  7. pedro311

    pedro311 Serious Server Member

    Remember, that bittorrent protocol works also in UDP...
     
  8. Bunsen

    Bunsen New Member Member

    Thanks - I didn't know that before.
    UDP is used for the p2p tracker, not the download [unless you have uTP enabled: http://www.bittorrent.org/beps/bep_0029.html]

    Regardless, the iptables rule doesn't specify protocol, so both TCP and UDP packets will not be allowed through the WANIF.
     

Share This Page