iptables rules syntax

davidedrury · Post by **davidedrury** » Thu Jun 11, 2009 8:05 pm

Hi Guys,

using RT2.9 on a Solwise SAR600EW Rxxx.

Have been following this discussion https://nodpi.org/forum/index.php/topic,669.0.html which is about blocking DPI (Deep Packet Inspection) websites and I decided to enter some blocking rules into iptables but the syntax is beating me. The following works but you have to wait for the retry timeout before website loading will complete.

Code: Select all

iptables -I FORWARD -d 207.108.181.0/24 -j DROP

What I'd like is to do the following (which I think should work according to the iptables man page)

Code: Select all

iptables -I FORWARD -d 207.108.181.0/24 -j REJECT -reject-with icmp-net-prohibited

This produces the error message

unknown arg REJECT

No matter what I try I always get some sort of error message. Any experts care to put me out of my misery?

Dave

Post by **mstombs** » Thu Jun 11, 2009 8:39 pm

I'm afraid that error means that iptables or kernel netfilter code hasn't been been compiled with the REJECT target. Some things can be added as kernel modules that are "insmod" but I think this is a build time option only.

davidedrury · Post by **davidedrury** » Thu Jun 11, 2009 10:12 pm

Hm,

So I suppose that means there is no way to return a 'DROP' reason. Any idea what was behind the reasoning for omitting the REJECT functionality?

Dave

Post by **mstombs** » Thu Jun 11, 2009 10:21 pm

The routers have limited flash/ram, they start with only standard features used by the built-in core-logic and web gui. The Linux kernel used is now quite old and heavily customized it takes a lot of care and patience to add and test new features. I don't think anyone else has suggested a use for "REJECT" before - I have no idea how big a job this is... If it means upgrading to a newer version of iptables then it is a big job

davidedrury · Post by **davidedrury** » Thu Jun 11, 2009 10:34 pm

Thanks - I'll watch that space!

legume · Post by **legume** » Thu Jun 11, 2009 11:00 pm

davidedrury wrote:Thanks - I'll watch that space!

You need two dashes

--reject-with

works for me, but then I am using an old version.

You can see the targets and matches you have with -

cat /proc/net/ip_tables*

Post by **thechief** » Fri Jun 12, 2009 7:36 am

mstombs wrote:The routers have limited flash/ram, they start with only standard features used by the built-in core-logic and web gui. The Linux kernel used is now quite old and heavily customized it takes a lot of care and patience to add and test new features. I don't think anyone else has suggested a use for "REJECT" before - I have no idea how big a job this is... If it means upgrading to a newer version of iptables then it is a big job

REJECT is enabled in the "standard" firmwares, but not in the 1350A wireless. Enabling it increases the size of iptables by about 45kb, so it is feasible.

davidedrury · Post by **davidedrury** » Fri Jun 12, 2009 9:23 am

Is it a compile option or could I (a user) enable it?

Post by **thechief** » Fri Jun 12, 2009 9:50 am

It is a compile option. You'll have to wait for the release of v2.91 ...