1

I want to block certain protocols to be used, and I do this by blocking their ports such as 53.

I tried to edit /etc/config/firewall adding:

   config rule 'stopdns'
       option name 'stopdns'
       option proto 'tcpudp'
       option dest_port '53'
       option target 'DROP'

and /etc/firewall.user (when the first option did not succeed):

   iptables -A OUTPUT -p tcp --dport 53 -j DROP
   iptables -A OUTPUT -p udp --dport 53 -j DROP

Same things with ports 80 and 443 to try because none of the things above worked. After each edit I run /etc/init.d/firewall restart.

Improve this question
5
  • In the iptables rules you appear to be locking the Output chain. You probably want to block the FORWARD chain to prevent devices on the LAN sending traffic through the router. Also, if you block the output chain, you will stop recusive DNS working from the router.
    – davidgo
    Commented Jan 14, 2019 at 0:45
  • @davidgo seems not the right fix; for example iptables -A FORWARD -p tcp/udp --dport 443 -j DROP and still this website and any other load
    – pomur
    Commented Jan 14, 2019 at 19:22
  • Try use -I to INPUT at the start of the chain, not -A to append - there may be an earlier rule with a matching allow so your Appended rule is never reached.
    – davidgo
    Commented Jan 14, 2019 at 19:25
  • @davidgo can I accept yours as answer?
    – pomur
    Commented Jan 16, 2019 at 22:16
  • Thanks for thiat - I'm pleased it worked for you. I've made it an answer.
    – davidgo
    Commented Jan 17, 2019 at 0:33

1 Answer 1

Reset to default
1

As per comments - The solution is to Insert the iptables rule at the top of the chain, rather then Append it, so an appropriate firewall line would be:

iptables -I FORWARD -p tcp/udp --dport 443 -j DROP
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .