Question Is there a way to Block incoming ips on wan side?

[GoogleCodeExporter]

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?
3.4.3.6-064

Under "LAN to WAN Filter" on the GUI:

Source IP range: 220.181.*.*
Source TCP port range of 1:65535 
Destination IP range of: 192.168.*.* 
Destination TCP port range of 1:65535 
"TCP All" or just "TCP" setting.

But, it doesnt prevent IP's from 220.181.*.* from reaching my LAN (on my 
forwarded ports).

I would prefer to use the GUI if at all possible; for make it easier to do 
administrate.

Original issue reported on code.google.com by michael....@gmail.com on 19 Aug 2013 at 4:00

[GoogleCodeExporter]

It's will work only if you have 220.181.*.* as your local net adress ;)
By default, all incoming traffic from Internet is closed and you may open 
needed ports/services at http://my.router/Advanced_VirtualServer_Content.asp

Original comment by Dr.Sydorenko.O on 19 Aug 2013 at 8:30

[GoogleCodeExporter]

Thanks for the quick reply back.  It appears you might have overlooked that I 
have port forwarding already enabled.  "....But, it doesnt prevent IP's from 
220.181.*.* from reaching my LAN (on my forwarded ports)...."

I just need to stop certain IP ranges from coming through existing opened 
ports.  Certainly there should be an easy way to do this.  For example, to 
block certain IP's from reaching to my WWW/FTP servers.  I'm hoping someone can 
tell me exactly how to do that with a working example.

Original comment by michael....@gmail.com on 19 Aug 2013 at 2:58

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Soulblader.com, thank you so much for telling me exactly how to do this; with 
extremely useful and easy to follow examples.

You're right, the below commandline does give me my external IP address.
#ifconfig `nvram get wan0_ifname` | grep 'inet addr'

If I need to remove the iptables rule for any reason would I just replace the 
-I parameter with -D?

echo "iptables -D FORWARD -i \$(nvram get wan0_ifname) -p tcp -s 220.181.0.0/16 
-j DROP" >> /etc/storage/post_iptables_script.sh

Thanks so much for your time!
MKANET

Original comment by michael....@gmail.com on 19 Aug 2013 at 8:07

[GoogleCodeExporter]

You should use iptables rules in this case.

not sure if you use firmware, which allows to edit scripts in web gui...

So, if you do:
1) Open http://my.router/Advanced_Tweaks_Content.asp
2) Choose script 'Run after firewall rules restarted'
3) Add the following line
iptables -I FORWARD -i $(nvram get wan0_ifname) -p tcp -s 220.181.0.0/16 -j DROP
4) press apply

if you use earlier version:
1) Open http://my.router/Main_AdmStatus_Content.asp
2) copy the following line to the input field (it's not quite correct )) but 
input line  is too short in web gui, so this should do well:
sed -i '$ a\iptables -I FORWARD -i \$(nvram get wan0_ifname) -p tcp -s 
220.181.0.0/16 -j DROP' /etc/storage/post_iptables_*
3) Press <Enter> or 'Refresh' button

For more options see: http://ipset.netfilter.org/iptables.man.html. One can 
find it complicated, but there are many examples in web.

Important note: I'm not sure about -i option value. Please check the output of 
following command:
# ifconfig `nvram get wan0_ifname` | grep 'inet addr'
address should be your external ip address

Original comment by d...@soulblader.com on 19 Aug 2013 at 8:08

[GoogleCodeExporter]

Note: echo "iptables -I .... " >> /etc/... command does't work. Please use sed 
-i ...
(I've updated my post)

if you don't need this rule anymore, just delete or comment this line with '#'. 
Then update firewall, for example: Go to 
http://my.router/Advanced_VirtualServer_Content.asp and press Apply button. All 
rules would be renewed...

Original comment by d...@soulblader.com on 19 Aug 2013 at 8:16

[GoogleCodeExporter]

Thanks for catching that.  I will use your sed example instead.  I now know 
where to add iptable rules after firewall restart; and, how to do it via 
command-line via ssh.

By the way, I have the latest firmware installed: 3.4.3.6-064.  However, I dont 
see 'Run after firewall rules restarted' under 
http://my.router/Advanced_Tweaks_Content.asp.  I think maybe I need to install 
an optional admin/tweak package?  Anyway, I can always just edit/upload/replace 
the text file itself using sftp.

Original comment by michael....@gmail.com on 19 Aug 2013 at 8:52

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I suppose there is no built version in 'Downloads' as 'edit scripts in web gui' 
feature  was added recently.

Original comment by d...@soulblader.com on 19 Aug 2013 at 9:27

[GoogleCodeExporter]

You can compile the firmware yourself: 
https://code.google.com/p/rt-n56u/wiki/HowToMakeFirmware.

Original comment by Dr.Sydorenko.O on 22 Aug 2013 at 11:06