Iptables help on GL-iNet

deadbeef · 2018-07-11T10:06:51.808Z

I am trying to use my GL-iNet 4G smart router with a firewall. I want the users to access ONLY some specific websites. I tried the below iptable rules to in the custom-rules of firewall settings…but it did not work. Anyone tried this before ?

iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -d calicutnet.com --dport 80 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Somehow this doesnt work. I am always bypassing the rule…i.e i am able to access all the websites.
btw…for testing i am using this as a repeater.

blue-wavenet · 2018-07-11T15:59:42.554Z

If you are putting these lines in the custom rules then they are appended to the end of the chain.
Instead try just this single line:
iptables -I OUTPUT 1 -p tcp -d calicutnet.com --dport 80 -j ACCEPT

This will INSERT your new rule at the top of the chain.

kyson-lok · 2018-07-12T15:35:58.030Z

ipset + iptables is your friend, it’s easy to do. For example, you should replace dnsmasq with dnsmasq-full via opkg update && opkg remove dnsmasq && opkg install dnsmasq-full.

Creat file /tmp/dnsmasq.d/whiltelist.dns, and add lines:

server=/google.com/127.0.0.1#53
ipset=/google.com/whitelist

Iptables rules:

iptables -t nat -I PREROUTING -m set ! --match-set whitelist dst -j DROP
iptables -t nat -I PREROUTING -m set --match-set whitelist dst -j ACCEPT

Just an example.

deadbeef · 2018-08-09T13:56:32.500Z

Hi,

sorry…i had some hardware problem with my router and got it replaced today.
I tried as you mentioned, but couldnt succeed.

So, this is what i did.

I installed squid on the router.
then added the below code in /etc/squid/squid.conf

acl whitelist dstdomain .ubuntu.com codebudha.com
http_access allow whitelist

i wanted to allow access only to ubuntu and codebudha from the network.

Then created an iptable firewall rules as below to reroute all the packets to squid’s port.

iptables -t nat -A PREROUTING -s 192.168.1.5 -p tcp --dport 80:443 -j DNAT --to-destination 10.100.111.50:3128

here 10.100.111.50 is the router’s wlan-sta ipaddress, where the router is now working as a repeater.

But, its not working.
Any idea what i am missing here.

kyson-lok · 2018-08-10T01:31:46.399Z

deadbeef:

squid

I haven’t been using squid ever, not sure how do it work. But you can have a try to replace -A with -I, and change DNAT to REDIRECT.

iptables -t nat -I PREROUTING -s 192.168.1.5 -p tcp --dport 80:443 -j REDIRECT --to-ports 3128