Custom firewall rules are not loaded from LuCi after restart

alexgolshtein · November 11, 2024, 11:22am

Device: Brume-2
Firmware: 4.7.0 (beta)

Hi,
I intend to add some custom rules required for youtubeUnblock plugin.
I've spent a lot of time testing, and currently I this that there is some issues in init scripts of gl-inet.

I've added the custom rules in Luci (/cgi-bin/luci/admin/network/firewall/custom)

iptables -t mangle -N YOUTUBEUNBLOCK
iptables -t mangle -A YOUTUBEUNBLOCK -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
iptables -t mangle -A YOUTUBEUNBLOCK -p udp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
Iptables -t mangle -A POSTROUTING -j YOUTUBEUNBLOCK

iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT
#iptables -I OUTPUT -m mark --mark 524288/524288 -j ACCEPT

iptables -I OUTPUT --src 192.168.8.139 -p udp --dport 443 -j DROP
iptables -I OUTPUT --src 192.168.8.173 -p udp --dport 443 -j DROP

these rules are NOT applied after device restart.

Forced /etc/init.d/firewall restart command allies the rules, but breaks the rules of dnsmsq of "VPN Policy Based on the Target Domain or IP".

I think the same issue was in 4.6 (stable) firmware.

bruce · November 12, 2024, 11:15am

Firewall is related to the iptables, GL firmware has not broken the rules including the custom parts.

After reboot, check is there for the above rules? (Looks like only the last two exist)
iptables -nvL
if 1 not, do these rule commands work if executed manually directly from SSH?
if 2 works, try adding these rule commands in /etc/rc.local, and reboot to see if it works?