1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What is wrong with this iptables rule?

Discussion in 'Tomato Firmware' started by Bird333, May 29, 2014.

  1. Bird333

    Bird333 Network Guru Member

    I setup a virtual wireless interface and put it in 'br2'. I added this rule (/usr/sbin/iptables -I FORWARD -i br2 -o !br0 -j DROP) to only allow traffic to 'br0' but I can still access the internet, why? Here are my rules
    Code:
    Chain INPUT (policy DROP 5 packets, 425 bytes)
     pkts bytes target  prot opt in  out  source  destination
      190 10616 DROP  tcp  --  br0  *  0.0.0.0/0  192.168.5.232  tcp dpt:!80
      0  0 ACCEPT  udp  --  *  *  0.0.0.0/0  0.0.0.0/0  udp dpt:9105
     138K 7567K ACCEPT  udp  --  *  *  0.0.0.0/0  0.0.0.0/0  udp dpt:41414
      0  0 ACCEPT  tcp  --  *  *  0.0.0.0/0  0.0.0.0/0  tcp dpt:41414
      0  0 ACCEPT  udp  --  *  *  0.0.0.0/0  0.0.0.0/0  udp dpt:9103
      0  0 ACCEPT  tcp  --  *  *  0.0.0.0/0  0.0.0.0/0  tcp dpt:9104
      33  1672 DROP  tcp  --  *  *  0.0.0.0/0  192.168.5.1  MAC ! **:**:**:**:**:** tcp dpt:2250
      0  0 DROP  tcp  --  *  *  !192.168.5.118  192.168.5.1  tcp dpt:2250
      0  0 ACCEPT  tcp  --  br2  *  0.0.0.0/0  0.0.0.0/0  tcp dpt:53
      24  2587 ACCEPT  udp  --  br2  *  0.0.0.0/0  0.0.0.0/0  multiport dports 53,67
      125 12842 DROP  all  --  br2  *  0.0.0.0/0  0.0.0.0/0  state NEW
      0  0 ACCEPT  tcp  --  br1  *  0.0.0.0/0  0.0.0.0/0  tcp dpt:53
      0  0 ACCEPT  udp  --  br1  *  0.0.0.0/0  0.0.0.0/0  multiport dports 53,67
      0  0 ACCEPT  tcp  --  br1  *  0.0.0.0/0  192.168.5.252  tcp dpt:80
      0  0 DROP  all  --  br1  *  0.0.0.0/0  0.0.0.0/0  state NEW
      12  492 DROP  all  --  *  *  0.0.0.0/0  0.0.0.0/0  state INVALID
     5564  869K ACCEPT  all  --  *  *  0.0.0.0/0  0.0.0.0/0  state RELATED,ESTABLISHED
      194 10120 adblk.fw  all  --  *  *  0.0.0.0/0  192.168.5.252
      2  104 shlimit  tcp  --  *  *  0.0.0.0/0  0.0.0.0/0  tcp dpt:22 state NEW
      281 24374 ACCEPT  all  --  lo  *  0.0.0.0/0  0.0.0.0/0   
     8937 2417K ACCEPT  all  --  br0  *  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  br1  *  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  br2  *  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  udp  --  *  *  0.0.0.0/0  0.0.0.0/0  udp spt:67 dpt:68
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target  prot opt in  out  source  destination
      0  0 ACCEPT  udp  --  br1  br0  0.0.0.0/0  0.0.0.0/0  udp dpts:7614:7617
      0  0 ACCEPT  tcp  --  br1  br0  0.0.0.0/0  0.0.0.0/0  tcp dpts:7614:7617
      0  0 DROP  all  --  br2  *  0.0.0.0/0  192.168.100.0/24
      0  0 DROP  all  --  br1  *  0.0.0.0/0  192.168.100.0/24
      0  0 DROP  all  --  br1  !vlan2  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  br0  br2  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  br0  br1  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  tap2  br2  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  br2  tap2  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  tap1  br0  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  br0  tap1  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  tap0  br0  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  br0  tap0  0.0.0.0/0  0.0.0.0/0   
      0  0 DROP  all  --  br2  !br0  0.0.0.0/0  0.0.0.0/0   
     361K  320M  all  --  *  *  0.0.0.0/0  0.0.0.0/0  account: network/netmask: 192.168.5.0/255.255.255.0 name: lan
      0  0  all  --  *  *  0.0.0.0/0  0.0.0.0/0  account: network/netmask: 192.168.3.0/255.255.255.0 name: lan1
      347 92880  all  --  *  *  0.0.0.0/0  0.0.0.0/0  account: network/netmask: 192.168.4.0/255.255.255.0 name: lan2
      0  0 ACCEPT  all  --  br0  br0  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  br1  br1  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  br2  br2  0.0.0.0/0  0.0.0.0/0   
      385 96507 DROP  all  --  *  *  0.0.0.0/0  0.0.0.0/0  state INVALID
     3077  166K TCPMSS  tcp  --  *  *  0.0.0.0/0  0.0.0.0/0  tcp flags:0x06/0x02 TCPMSS clamp to PMTU
     358K  319M ACCEPT  all  --  *  *  0.0.0.0/0  0.0.0.0/0  state RELATED,ESTABLISHED
      0  0 DROP  all  --  br0  br1  0.0.0.0/0  0.0.0.0/0   
      0  0 DROP  all  --  br0  br2  0.0.0.0/0  0.0.0.0/0   
      0  0 DROP  all  --  br1  br0  0.0.0.0/0  0.0.0.0/0   
      0  0 DROP  all  --  br1  br2  0.0.0.0/0  0.0.0.0/0   
      65  2860 DROP  all  --  br2  br0  0.0.0.0/0  0.0.0.0/0   
      0  0 DROP  all  --  br2  br1  0.0.0.0/0  0.0.0.0/0   
      0  0 wanin  all  --  vlan2  *  0.0.0.0/0  0.0.0.0/0   
     2836  879K wanout  all  --  *  vlan2  0.0.0.0/0  0.0.0.0/0   
     2824  879K ACCEPT  all  --  br0  *  0.0.0.0/0  0.0.0.0/0   
      0  0 ACCEPT  all  --  br1  *  0.0.0.0/0  0.0.0.0/0   
      12  624 ACCEPT  all  --  br2  *  0.0.0.0/0  0.0.0.0/0   
    
    Chain OUTPUT (policy ACCEPT 643K packets, 906M bytes)
     pkts bytes target  prot opt in  out  source  destination
    
    Chain adblk.fw (1 references)
     pkts bytes target  prot opt in  out  source  destination
      194 10120 ACCEPT  tcp  --  br+  *  0.0.0.0/0  0.0.0.0/0  multiport dports 443,80
      0  0 ACCEPT  icmp --  br+  *  0.0.0.0/0  0.0.0.0/0  icmp type 8
      0  0 REJECT  tcp  --  br+  *  0.0.0.0/0  0.0.0.0/0  reject-with tcp-reset
      0  0 REJECT  all  --  br+  *  0.0.0.0/0  0.0.0.0/0  reject-with icmp-host-prohibited
      0  0 DROP  all  --  *  *  0.0.0.0/0  0.0.0.0/0   
    
    Chain shlimit (1 references)
     pkts bytes target  prot opt in  out  source  destination
      2  104  all  --  *  *  0.0.0.0/0  0.0.0.0/0  recent: SET name: shlimit side: source
      0  0 DROP  all  --  *  *  0.0.0.0/0  0.0.0.0/0  recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
    
    Chain wanin (1 references)
     pkts bytes target  prot opt in  out  source  destination
    
    Chain wanout (1 references)
     pkts bytes target  prot opt in  out  source  destination
     
  2. Bird333

    Bird333 Network Guru Member

  3. Bird333

    Bird333 Network Guru Member

    Anyone?
     

Share This Page