Securifi Community Forum
Securifi Products => Almond+ => Topic started by: tastewar1 on May 02, 2016, 11:30:38 pm
-
I'm wanting to restrict DNS to the OpenDNS that I have setup in the router. I.e., I don't want clients able to bypass it by entering their own DNS entry. This page: https://wiki.openwrt.org/doc/howto/netfilter seems to have a couple of rules that do what I want:
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -A PREROUTING -i $LAN -p udp --dport 53 -j REDIRECT --to-port 53
So I went to the OpenWRT config section and added those lines to Firewall/Custom rules. I then went to Status/Firewall and selected the link to restart the firewall. The list of rules didn't appear to change. I then ssh'd in, and tried /etc/init.d/vpn-g restart and that seems to give me some errors:
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
at stop
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
killall: pptpd: no process killed
killall: bcrelay: no process killed
sh: bad number
I commented my custom lines out, but I still get these errors. I don't think I added anything else in the past, but I tried doing the "reset" on each page, but I still get those errors.
Any clue what I need to do to get those rules enabled?
Thanks!
-
I'm wanting to restrict DNS to the OpenDNS that I have setup in the router. I.e., I don't want clients able to bypass it by entering their own DNS entry. This page: https://wiki.openwrt.org/doc/howto/netfilter seems to have a couple of rules that do what I want:
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 53 -j REDIRECT --to-port 53
iptables -t nat -A PREROUTING -i $LAN -p udp --dport 53 -j REDIRECT --to-port 53
So I went to the OpenWRT config section and added those lines to Firewall/Custom rules. I then went to Status/Firewall and selected the link to restart the firewall. The list of rules didn't appear to change. I then ssh'd in, and tried /etc/init.d/vpn-g restart and that seems to give me some errors:
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: No chain/target/match by that name.
at stop
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
killall: pptpd: no process killed
killall: bcrelay: no process killed
sh: bad number
I commented my custom lines out, but I still get these errors. I don't think I added anything else in the past, but I tried doing the "reset" on each page, but I still get those errors.
Any clue what I need to do to get those rules enabled?
Thanks!
hey...!!
Instead of using -i $LAN you should use -i br-lan (LAN interface Name) then click on subimt
Then restart the firewall settings - /etc/init.d/firewall restart or you can just reboot the device, the rules will get effected.
Please check attached pictures for reference.
-
Thanks! I confess that I'm somewhat surprised that that change eliminated all those errors! But the restart reported no errors, and the rules show up in the status screen.