Properly block ports on openwrt
I want to block certain protocols to be used, and I do this by blocking their ports such as 53.
I tried to edit /etc/config/firewall
adding:
config rule 'stopdns'
option name 'stopdns'
option proto 'tcpudp'
option dest_port '53'
option target 'DROP'
and /etc/firewall.user
(when the first option did not succeed):
iptables -A OUTPUT -p tcp --dport 53 -j DROP
iptables -A OUTPUT -p udp --dport 53 -j DROP
Same things with ports 80 and 443 to try because none of the things above worked. After each edit I run /etc/init.d/firewall restart
.
firewall iptables port openwrt
add a comment |
I want to block certain protocols to be used, and I do this by blocking their ports such as 53.
I tried to edit /etc/config/firewall
adding:
config rule 'stopdns'
option name 'stopdns'
option proto 'tcpudp'
option dest_port '53'
option target 'DROP'
and /etc/firewall.user
(when the first option did not succeed):
iptables -A OUTPUT -p tcp --dport 53 -j DROP
iptables -A OUTPUT -p udp --dport 53 -j DROP
Same things with ports 80 and 443 to try because none of the things above worked. After each edit I run /etc/init.d/firewall restart
.
firewall iptables port openwrt
In the iptables rules you appear to be locking the Output chain. You probably want to block the FORWARD chain to prevent devices on the LAN sending traffic through the router. Also, if you block the output chain, you will stop recusive DNS working from the router.
– davidgo
Jan 14 at 0:45
@davidgo seems not the right fix; for exampleiptables -A FORWARD -p tcp/udp --dport 443 -j DROP
and still this website and any other load
– pomur
Jan 14 at 19:22
Try use -I to INPUT at the start of the chain, not -A to append - there may be an earlier rule with a matching allow so your Appended rule is never reached.
– davidgo
Jan 14 at 19:25
@davidgo can I accept yours as answer?
– pomur
Jan 16 at 22:16
Thanks for thiat - I'm pleased it worked for you. I've made it an answer.
– davidgo
Jan 17 at 0:33
add a comment |
I want to block certain protocols to be used, and I do this by blocking their ports such as 53.
I tried to edit /etc/config/firewall
adding:
config rule 'stopdns'
option name 'stopdns'
option proto 'tcpudp'
option dest_port '53'
option target 'DROP'
and /etc/firewall.user
(when the first option did not succeed):
iptables -A OUTPUT -p tcp --dport 53 -j DROP
iptables -A OUTPUT -p udp --dport 53 -j DROP
Same things with ports 80 and 443 to try because none of the things above worked. After each edit I run /etc/init.d/firewall restart
.
firewall iptables port openwrt
I want to block certain protocols to be used, and I do this by blocking their ports such as 53.
I tried to edit /etc/config/firewall
adding:
config rule 'stopdns'
option name 'stopdns'
option proto 'tcpudp'
option dest_port '53'
option target 'DROP'
and /etc/firewall.user
(when the first option did not succeed):
iptables -A OUTPUT -p tcp --dport 53 -j DROP
iptables -A OUTPUT -p udp --dport 53 -j DROP
Same things with ports 80 and 443 to try because none of the things above worked. After each edit I run /etc/init.d/firewall restart
.
firewall iptables port openwrt
firewall iptables port openwrt
asked Jan 13 at 22:16
pomurpomur
82
82
In the iptables rules you appear to be locking the Output chain. You probably want to block the FORWARD chain to prevent devices on the LAN sending traffic through the router. Also, if you block the output chain, you will stop recusive DNS working from the router.
– davidgo
Jan 14 at 0:45
@davidgo seems not the right fix; for exampleiptables -A FORWARD -p tcp/udp --dport 443 -j DROP
and still this website and any other load
– pomur
Jan 14 at 19:22
Try use -I to INPUT at the start of the chain, not -A to append - there may be an earlier rule with a matching allow so your Appended rule is never reached.
– davidgo
Jan 14 at 19:25
@davidgo can I accept yours as answer?
– pomur
Jan 16 at 22:16
Thanks for thiat - I'm pleased it worked for you. I've made it an answer.
– davidgo
Jan 17 at 0:33
add a comment |
In the iptables rules you appear to be locking the Output chain. You probably want to block the FORWARD chain to prevent devices on the LAN sending traffic through the router. Also, if you block the output chain, you will stop recusive DNS working from the router.
– davidgo
Jan 14 at 0:45
@davidgo seems not the right fix; for exampleiptables -A FORWARD -p tcp/udp --dport 443 -j DROP
and still this website and any other load
– pomur
Jan 14 at 19:22
Try use -I to INPUT at the start of the chain, not -A to append - there may be an earlier rule with a matching allow so your Appended rule is never reached.
– davidgo
Jan 14 at 19:25
@davidgo can I accept yours as answer?
– pomur
Jan 16 at 22:16
Thanks for thiat - I'm pleased it worked for you. I've made it an answer.
– davidgo
Jan 17 at 0:33
In the iptables rules you appear to be locking the Output chain. You probably want to block the FORWARD chain to prevent devices on the LAN sending traffic through the router. Also, if you block the output chain, you will stop recusive DNS working from the router.
– davidgo
Jan 14 at 0:45
In the iptables rules you appear to be locking the Output chain. You probably want to block the FORWARD chain to prevent devices on the LAN sending traffic through the router. Also, if you block the output chain, you will stop recusive DNS working from the router.
– davidgo
Jan 14 at 0:45
@davidgo seems not the right fix; for example
iptables -A FORWARD -p tcp/udp --dport 443 -j DROP
and still this website and any other load– pomur
Jan 14 at 19:22
@davidgo seems not the right fix; for example
iptables -A FORWARD -p tcp/udp --dport 443 -j DROP
and still this website and any other load– pomur
Jan 14 at 19:22
Try use -I to INPUT at the start of the chain, not -A to append - there may be an earlier rule with a matching allow so your Appended rule is never reached.
– davidgo
Jan 14 at 19:25
Try use -I to INPUT at the start of the chain, not -A to append - there may be an earlier rule with a matching allow so your Appended rule is never reached.
– davidgo
Jan 14 at 19:25
@davidgo can I accept yours as answer?
– pomur
Jan 16 at 22:16
@davidgo can I accept yours as answer?
– pomur
Jan 16 at 22:16
Thanks for thiat - I'm pleased it worked for you. I've made it an answer.
– davidgo
Jan 17 at 0:33
Thanks for thiat - I'm pleased it worked for you. I've made it an answer.
– davidgo
Jan 17 at 0:33
add a comment |
1 Answer
1
active
oldest
votes
As per comments - The solution is to Insert the iptables rule at the top of the chain, rather then Append it, so an appropriate firewall line would be:
iptables -I FORWARD -p tcp/udp --dport 443 -j DROP
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1393912%2fproperly-block-ports-on-openwrt%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
As per comments - The solution is to Insert the iptables rule at the top of the chain, rather then Append it, so an appropriate firewall line would be:
iptables -I FORWARD -p tcp/udp --dport 443 -j DROP
add a comment |
As per comments - The solution is to Insert the iptables rule at the top of the chain, rather then Append it, so an appropriate firewall line would be:
iptables -I FORWARD -p tcp/udp --dport 443 -j DROP
add a comment |
As per comments - The solution is to Insert the iptables rule at the top of the chain, rather then Append it, so an appropriate firewall line would be:
iptables -I FORWARD -p tcp/udp --dport 443 -j DROP
As per comments - The solution is to Insert the iptables rule at the top of the chain, rather then Append it, so an appropriate firewall line would be:
iptables -I FORWARD -p tcp/udp --dport 443 -j DROP
answered Jan 17 at 0:32
davidgodavidgo
43.9k75291
43.9k75291
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1393912%2fproperly-block-ports-on-openwrt%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
In the iptables rules you appear to be locking the Output chain. You probably want to block the FORWARD chain to prevent devices on the LAN sending traffic through the router. Also, if you block the output chain, you will stop recusive DNS working from the router.
– davidgo
Jan 14 at 0:45
@davidgo seems not the right fix; for example
iptables -A FORWARD -p tcp/udp --dport 443 -j DROP
and still this website and any other load– pomur
Jan 14 at 19:22
Try use -I to INPUT at the start of the chain, not -A to append - there may be an earlier rule with a matching allow so your Appended rule is never reached.
– davidgo
Jan 14 at 19:25
@davidgo can I accept yours as answer?
– pomur
Jan 16 at 22:16
Thanks for thiat - I'm pleased it worked for you. I've made it an answer.
– davidgo
Jan 17 at 0:33