All about firmwares for routers. Support for RouterTech firmwares is here too.
-
davidedrury
- Newbie
- Posts: 8
- Joined: Sat Oct 06, 2007 6:38 pm
Post
by davidedrury » Thu Jun 11, 2009 8:05 pm
Hi Guys,
using RT2.9 on a Solwise SAR600EW Rxxx.
Have been following this discussion
https://nodpi.org/forum/index.php/topic,669.0.html which is about blocking DPI (Deep Packet Inspection) websites and I decided to enter some blocking rules into iptables but the syntax is beating me. The following works but you have to wait for the retry timeout before website loading will complete.
Code: Select all
iptables -I FORWARD -d 207.108.181.0/24 -j DROP
What I'd like is to do the following (which I think should work according to the iptables man page)
Code: Select all
iptables -I FORWARD -d 207.108.181.0/24 -j REJECT -reject-with icmp-net-prohibited
This produces the error message
unknown arg REJECT
No matter what I try I always get some sort of error message. Any experts care to put me out of my misery?
Dave
-
mstombs
- RouterTech Team
- Posts: 3753
- Joined: Wed Jan 10, 2007 11:54 pm
Post
by mstombs » Thu Jun 11, 2009 8:39 pm
I'm afraid that error means that iptables or kernel netfilter code hasn't been been compiled with the REJECT target. Some things can be added as kernel modules that are "insmod" but I think this is a build time option only.
-
davidedrury
- Newbie
- Posts: 8
- Joined: Sat Oct 06, 2007 6:38 pm
Post
by davidedrury » Thu Jun 11, 2009 10:12 pm
Hm,
So I suppose that means there is no way to return a 'DROP' reason. Any idea what was behind the reasoning for omitting the REJECT functionality?
Dave
-
mstombs
- RouterTech Team
- Posts: 3753
- Joined: Wed Jan 10, 2007 11:54 pm
Post
by mstombs » Thu Jun 11, 2009 10:21 pm
The routers have limited flash/ram, they start with only standard features used by the built-in core-logic and web gui. The Linux kernel used is now quite old and heavily customized it takes a lot of care and patience to add and test new features. I don't think anyone else has suggested a use for "REJECT" before - I have no idea how big a job this is... If it means upgrading to a newer version of iptables then it is a big job
-
davidedrury
- Newbie
- Posts: 8
- Joined: Sat Oct 06, 2007 6:38 pm
Post
by davidedrury » Thu Jun 11, 2009 10:34 pm
Thanks - I'll watch that space!
-
legume
- Experienced
- Posts: 101
- Joined: Fri Apr 13, 2007 11:57 pm
Post
by legume » Thu Jun 11, 2009 11:00 pm
davidedrury wrote:Thanks - I'll watch that space!
You need two dashes
--reject-with
works for me, but then I am using an old version.
You can see the targets and matches you have with -
cat /proc/net/ip_tables*
-
thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
-
Contact:
Post
by thechief » Fri Jun 12, 2009 7:36 am
mstombs wrote:The routers have limited flash/ram, they start with only standard features used by the built-in core-logic and web gui. The Linux kernel used is now quite old and heavily customized it takes a lot of care and patience to add and test new features. I don't think anyone else has suggested a use for "REJECT" before - I have no idea how big a job this is... If it means upgrading to a newer version of iptables then it is a big job
REJECT is enabled in the "standard" firmwares, but not in the 1350A wireless. Enabling it increases the size of iptables by about 45kb, so it is feasible.
The Chief:
Be sure to
read the
Firmware FAQ and do a
Forum Search before posting!
No support via PM. Ask all questions on the open forum.
-
davidedrury
- Newbie
- Posts: 8
- Joined: Sat Oct 06, 2007 6:38 pm
Post
by davidedrury » Fri Jun 12, 2009 9:23 am
Is it a compile option or could I (a user) enable it?
-
thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
-
Contact:
Post
by thechief » Fri Jun 12, 2009 9:50 am
It is a compile option. You'll have to wait for the release of v2.91 ...
The Chief:
Be sure to
read the
Firmware FAQ and do a
Forum Search before posting!
No support via PM. Ask all questions on the open forum.