How do I configure iptables in DD-WRT to block Skype on br1 only?
Your Skype rules are blocking traffic originating from the given IP address ranges. So the traffic is coming in on your WAN interface, not your guest bridge br1. That's why -i br1 doesn't work.
To fix this, instead block traffic to those destinations which comes in from the guest bridge. For example:
iptables -I FORWARD -i br1 -d 111.221.74.0/24 -j DROP
Related videos on Youtube
11 : 09
07 : 32
04 : 45
08 : 55
02 : 33
SteveJ
Updated on September 18, 2022Comments
-
SteveJ over 1 year
Using DD-WRT on a Linksys router, I've got a private network set up as br0 and a guest network set up as br1.
I want to block access to Skype on only the guest network, and the easiest way I've seen to block Skype is to block access to their authentication servers.
I'm able to successfully block access to Skype for EVERYONE connecting to the router by adding the following firewall rules:
iptables -I FORWARD -s 111.221.74.0/24 -j DROP iptables -I FORWARD -s 111.221.77.0/24 -j DROP iptables -I FORWARD -s 157.55.130.0/24 -j DROP iptables -I FORWARD -s 157.55.235.0/24 -j DROP iptables -I FORWARD -s 157.55.56.0/24 -j DROP iptables -I FORWARD -s 157.56.52.0/24 -j DROP iptables -I FORWARD -s 194.165.188.0/24 -j DROP iptables -I FORWARD -s 195.46.253.0/24 -j DROP iptables -I FORWARD -s 213.199.179.0/24 -j DROP iptables -I FORWARD -s 63.245.217.0/24 -j DROP iptables -I FORWARD -s 64.4.23.0/24 -j DROP iptables -I FORWARD -s 65.55.223.0/24 -j DROP
So I thought that by simply adding "-i br1" after the FORWARD command in each of the above lines, I could block it only on the guest (br1) network, like this:
iptables -I FORWARD -i br1 -s 111.221.74.0/24 -j DROP
However, that doesn't block it for anyone. What am I doing wrong? Thanks in advance.
P.S. As further reference, here are my pre-existing current firewall rules:
#Enable NAT on the WAN port to correct a bug in builds over 17000 iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr` #Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on) iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #Restrict br1 from accessing br0 iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP #Restrict br1 from accessing the WAN subnet iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP #Restrict br1 from accessing the router's local sockets iptables -I INPUT -i br1 -m state --state NEW -j DROP #Allow br1 to access DHCP on the router iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT #Allow br1 to access DNS on the router iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
-
SteveJ over 11 yearsGreat, Michael. That makes sense... AND works. :) Thanks and Merry Christmas!