Question

Hi,

On my RUT240 FW ver.: RUT2XX_R_00.01.13.1 I want to block all packet from IP 192.168.43.4 in LAN. I used the firewall custom rules to add:

iptables -I INPUT -s 192.168.43.4 -j DROP

but all packets are still going through since I can get them with Wireshark on IP 192.168.43.8. I checked the Iptables and it starts with:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

   26   884 DROP       all  --  *      *       192.168.43.4         0.0.0.0/0           

    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

  345 27227 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: user chain for input */

  242 16733 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3 */

    1    64 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */

  103 10494 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_wan_input  all  --  wwan0  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_vpn_input  all  --  tun_+  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_l2tp_input  all  --  l2tp+  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_l2tp_input  all  --  xl2tp+ *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_pptp_input  all  --  pptp+  *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_gre_input  all  --  gre+   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_hotspot_input  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_hotspot_input  all  --  tun1   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_hotspot_input  all  --  tun2   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_hotspot_input  all  --  tun3   *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

    0     0 zone_sstp_input  all  --  sstp-+ *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

So 26 packets seems to be DROPped but I can still see them with Wireshark.

Where am I wrong?

Please help!

Best,

Answer 1

Hello, 

For your additional information, I prefer you doing that rule using the Web UI itself. 

You can do it by navigating to Network > Firewall > Traffic Rules 

Kindly check this link for more information: RUT240 Firewall - Teltonika Networks Wiki (teltonika-networks.com) 

Regards,
Jerome

 

Comments

Dear Jerome,

Thanks a lot for answering. I tried everything I could using the traffic rules but can't manage to get it works that's why I tried with the custom Iptables. For information, while using the traffic rules, every rule is added add the end of the respective chain in the iptables and they seem to be never reached since there is always an "accept all" rule before in the chain.

I really tried everything I could following the manual and exemples you provide.

Best,

---

Hello,

Could you try re-flashing the firmware without keeping the config. When the device is back up just configure the basic things don't touch anything on the firewall side.  Next is configure the Traffic rule as shown in the screenshot below:

https://prnt.sc/wgkc5z

Reboot the router after saving and check if the rule is working

Regards,
Jerome

---

OK, I will try it tonight and keep you updated. Maybe I should add that I'm using WAN port as LAN in my config since I have to use both physical ports of the RUT240. Don't know if it changes something.

Many thanks Jérôme.

Best,

---

Hi,

So I followed your instructions but it still doesn't work. I tried to block wired and WiFi computers IP, saved and rebooted every time but I still get the packets on my laptop Wireshark (IP=192.168.43.2). What can I try?

Best,

---

Hello,

What you want to do is block all incoming and outgoing packets from that IP?? On what services LAN WAN or any??

For that, you need to create two rules.

The one that I shared is for the 192.168.43.2 so that it will not don't have any access to any zone.

Source Zone: LAN
Source IP: 192.168.43.4
Destination Zone: Any
Action: Drop

Now you need to create another rule where 192.168.43.2 were:

Source zone: Any
Destination IP: 192.168.43.4
Destination Zone: LAN
Action: Drop

After creating zones run this command on CLI "/etc/init.d/firewall restart"

Regards,
Jerome

---

At the end I would like to block specific ports only but since I could not manage to do it I now try to simply block all packet from this host yes. And yes this host is on the LAN Network. 

I added the second rule to block income and outcome but still not work.

When I run: /etc/init.d/firewall restart

I got: (check highlighted part!)

Warning: Unable to locate ipset utility, disabling ipset support

Warning: Section @zone[1] (wan) cannot resolve device of network 'ppp'

Warning: Section @zone[1] (wan) cannot resolve device of network 'tun'

Warning: Section @zone[1] (wan) cannot resolve device of network 'wwan0v6'

Warning: Section @zone[2] (vpn) cannot resolve device of network 'vpn'

Warning: Section 'l2tp_zone' cannot resolve device of network 'l2tp'

Warning: Section 'pptp_zone' cannot resolve device of network 'pptp'

Warning: Section 'gre_zone' cannot resolve device of network 'gre'

Warning: Section @zone[6] (hotspot) cannot resolve device of network 'hotspot'

Warning: Section 'sstp' cannot resolve device of network 'sstp'

Warning: Option @rule[16]._name is unknown

Warning: Option @rule[17]._name is unknown

Warning: Option @rule[18]._name is unknown

does not specify a protocol, assuming TCP+UDP

does not specify a protocol, assuming TCP+UDP

* Flushing IPv4 filter table

* Flushing IPv4 nat table

* Flushing IPv4 mangle table

* Flushing IPv4 raw table

* Flushing IPv6 filter table

* Flushing IPv6 nat table

* Flushing IPv6 mangle table

* Flushing IPv6 raw table

* Flushing conntrack table ...

* Populating IPv4 filter table

* Zone 'lan'

* Zone 'wan'

* Zone 'vpn'

* Zone 'l2tp'

* Zone 'pptp'

* Zone 'gre'

* Zone 'hotspot'

* Zone 'sstp'

* Rule 'Allow-DHCP-Renew'

* Rule 'Allow-Ping'

* Rule 'Allow-vpn-traffic'

* Rule 'Block All'

* Rule 'Block All'

* Forward 'vpn' -> 'lan'

* Forward 'l2tp' -> 'lan'

* Forward 'pptp' -> 'lan'

* Forward 'gre' -> 'lan'

* Forward 'hotspot' -> 'wan'

* Populating IPv4 nat table

* Zone 'lan'

* Zone 'wan'

* Zone 'vpn'

* Zone 'l2tp'

* Zone 'pptp'

* Zone 'gre'

* Zone 'hotspot'

* Zone 'sstp'

* Populating IPv4 mangle table

* Zone 'lan'

* Zone 'wan'

* Zone 'vpn'

* Zone 'l2tp'

* Zone 'pptp'

* Zone 'gre'

* Zone 'hotspot'

* Zone 'sstp'

* Populating IPv4 raw table

* Zone 'lan'

* Zone 'wan'

* Zone 'vpn'

* Zone 'l2tp'

* Zone 'pptp'

* Zone 'gre'

* Zone 'hotspot'

* Zone 'sstp'

* Populating IPv6 filter table

* Zone 'lan'

* Zone 'wan'

* Zone 'vpn'

* Zone 'l2tp'

* Zone 'pptp'

* Zone 'gre'

* Zone 'hotspot'

* Zone 'sstp'

* Rule 'Allow-vpn-traffic'

* Rule 'Allow-DHCPv6'

* Rule 'Allow-ICMPv6-Input'

* Rule 'Allow-ICMPv6-Forward'

* Rule 'Block All'

! Skipping due to different family of ip address

! Skipping due to different family of ip address

* Rule 'Block All'

! Skipping due to different family of ip address

! Skipping due to different family of ip address

* Forward 'vpn' -> 'lan'

* Forward 'l2tp' -> 'lan'

* Forward 'pptp' -> 'lan'

* Forward 'gre' -> 'lan'

* Forward 'hotspot' -> 'wan'

* Populating IPv6 nat table

* Zone 'lan'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'

* Zone 'wan'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'

* Zone 'vpn'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_vpn_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_vpn_rule'

* Zone 'l2tp'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_l2tp_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_l2tp_rule'

* Zone 'pptp'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_pptp_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_pptp_rule'

* Zone 'gre'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_gre_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_gre_rule'

* Zone 'hotspot'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_hotspot_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_hotspot_rule'

* Zone 'sstp'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_sstp_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_sstp_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'

Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'

* Populating IPv6 mangle table

* Zone 'lan'

* Zone 'wan'

* Zone 'vpn'

* Zone 'l2tp'

* Zone 'pptp'

* Zone 'gre'

* Zone 'hotspot'

* Zone 'sstp'

* Populating IPv6 raw table

* Zone 'lan'

* Zone 'wan'

* Zone 'vpn'

* Zone 'l2tp'

* Zone 'pptp'

* Zone 'gre'

* Zone 'hotspot'

* Zone 'sstp'

* Set tcp_ecn to off

* Set tcp_syncookies to on

* Set tcp_window_scaling to on

* Running script '/etc/firewall.user'

* Running script '/tmp/privoxy/firewall'

* Running script '/etc/logtrigger/fwblock_wrapper.sh'

* Running script '/etc/add-firewall-rule.sh'

* Running script '/etc/add-rs-rule.sh'

* Running script '/etc/add-port-rule.sh'

iptables: No chain/target/match by that name.

iptables v1.4.21: Couldn't load target `zone_port_scan':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

iptables v1.4.21: Couldn't load target `zone_port_scan':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

iptables: No chain/target/match by that name.

iptables: Bad rule (does a matching rule exist in that chain?).

iptables: Bad rule (does a matching rule exist in that chain?).

iptables: Bad rule (does a matching rule exist in that chain?).

iptables: Bad rule (does a matching rule exist in that chain?).

iptables: Bad rule (does a matching rule exist in that chain?).

! Failed with exit code 1

* Running script '/tmp/ipsec/firewall.sh'

! Skipping due to path error: No such file or directory

---

Hello, 

I recommend re-flash the firmware without keeping the settings. Then after reflashing is done configure the traffic rule via Web UI. You can do it on Network > Firewall > Traffic Rule 

Outgoing Rule: 
Source Zone: LAN
Source IP: 192.168.43.4
Destination Zone: Any
Action: Drop

Incoming Rule: 
Source zone: Any
Destination IP: 192.168.43.4
Destination Zone: LAN
Action: Drop

If the issue still persists let me know. 

Regards,
Jerome 

---

Hi Jerome,

I tried again flashing the firmware and add the 2 rules but still not working. I can give you RMS access if it can help. I'm a bit lost.

Best,

---

Hello,

Okay, kindly pm me the credential and the RMS link.

Regards,

Jerome

---

Yes I ll do it tonight.

Thanks

---

Hi Jerome,

I spent some time on this and realize my issue was that I tried blocking broadcast packets which apparently is not feasible like this.

I open a new discussion in the forum to find the best solution for my network.

Thanks for your help!