FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

12657 questions

15038 answers

24075 comments

46989 members

0 votes
34 views 3 comments
by
Hi team!

I have ~200 hosts on my RUTXR1 LAN (static assigned IPs).

I'd like to _dynamically_ block a subset of these devices from accessing the WAN for some period, and then unblock access later via a remote command (from a server on the network).

The devices I wish to block are not completely in a range (so cannot block an IP range), as some devices in the range I wish to allow uninterrupted access. So I would provide a list if IPs (approx 80 IPs) to block.

I'd like to be able to remotely enable/disable this block using SSH, mqqt telnet or some other automated machine-machine interface (I have an external server that makes a decision, and can access the RUTXR1.

I think the best way is to use UCI commands via RPC-JSON.

UCI command to add firewall rule to drop Host->WAN access for a specified list of IPs. Does this sound right?

That way may external server can call via RPC-JSON, make the UCI command to set and unset the rule.

If anyone has a quick pointer to examples of setting and unsetting firewall rules via UCI and also the right way to write the firewall rules I would be most grateful!

Many thanks for your guidance and advice.

1 Answer

0 votes
by

Hello,

  

This seems like an interesting issue to help solve.

Perhaps you put the IP addresses you'd like to block into a TXT file and attach it to your original post?

I believe the cleanest option here would be to put that file into a certain directory on the router itself and then by sending a command via JSON-RPC create new firewall rules to block access for those clients. Then by sending another command, these rules could be deleted from the firewall. However, if these IP addresses rarely or never change, then it's probably not worth all this work.

Another option could be to simply create those rules by sending a JSON-RPC request to the router with all of the IP addresses that need to be denied access to the WAN. Then they can be enabled/disabled as you wish using a custom script on the router.

The options needed to create such a rule are:

uci add firewall rule
uci set firewall.@rule[-1].name='Blocked'
uci set firewall.@rule[-1].priority='16'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].target='DROP'
uci set firewall.@rule[-1].utc_time='0'
uci set firewall.@rule[-1].enabled='1'
uci set firewall.@rule[-1].dest_ip='xxx.xxx.xxx.xxx'
uci add_list firewall.@rule[-1].dest_ip='yyy.yyy.yyy.yyy'
uci add_list firewall.@rule[-1].dest_ip='zzz.zzz.zzz.zzz'
.
.
.
uci commit firewall
/etc/init.d/firewall restart

When the rule is created, it can be disabled using the command:

uci firewall.@rule[-1].enabled='0'

And enabled:

uci firewall.@rule[-1].enabled='1'

Hope this helps!

Best regards,
DaumantasG

by

As the number of IP addresses to be blocked / unblocked is somewhat large I would suggest to use iptables-save / iptables-restore which is much more efficient:

  1. do an iptables-save > ipts-org.txt
  2. manually block one IP address with iptables -A FORWARD -s 192.168.x.y -o wwan0 -j DROP
  3. do an iptables-save > ipts.txt, look at the line containing this 192.168.x.y
  4. add as many similar lines as you need in after it
  5. activate via ssh the-router-ip iptables-restore ipts.txt

To unblock all, just do a ssh the-router-ip iptables-restore ipts-org.txt

by
Thank you both! Very useful answers in different ways. I'm going to test the iptables route, just because it's quick to implement ( this is a proof of concept of a bigger intiative) but ultimately I think the JSON-RPC method allows me to dynamically select different hosts each time according to other rules which will be powerful later :)

Can I check - the DROP command for destination "wwan0" is this the same as "wan" in the teltonika GUI interface? I ask because I have a main wired WAN interface and also a mobile backup interface - but only "wan: wan wan6 mob1s1a1 mob1s2a1" is visible in the GUI for destination zone. (The inconsistency between GUI teminology and openwrt/RUTOS terminology is confusing).

Also, does either method require some refresh of network command to enact the changes?

Thank you!
by

wwan0 is the mobile interface. The wired interface is eth1, which appears as wan in the status page.

If you want to set the rule both for wwan0 and eth1 just omit the -o wwan0 from the command:

iptables -A FORWARD -s 192.168.x.y -j DROP

The effect of iptables-restore is immediate.