0

Using DD-WRT on a Linksys router, I've got a private network set up as br0 and a guest network set up as br1.

I want to block access to Skype on only the guest network, and the easiest way I've seen to block Skype is to block access to their authentication servers.

I'm able to successfully block access to Skype for EVERYONE connecting to the router by adding the following firewall rules:

iptables -I FORWARD -s 111.221.74.0/24 -j DROP
iptables -I FORWARD -s 111.221.77.0/24 -j DROP
iptables -I FORWARD -s 157.55.130.0/24 -j DROP
iptables -I FORWARD -s 157.55.235.0/24 -j DROP
iptables -I FORWARD -s 157.55.56.0/24 -j DROP
iptables -I FORWARD -s 157.56.52.0/24 -j DROP
iptables -I FORWARD -s 194.165.188.0/24 -j DROP
iptables -I FORWARD -s 195.46.253.0/24 -j DROP
iptables -I FORWARD -s 213.199.179.0/24 -j DROP
iptables -I FORWARD -s 63.245.217.0/24 -j DROP
iptables -I FORWARD -s 64.4.23.0/24 -j DROP
iptables -I FORWARD -s 65.55.223.0/24 -j DROP

So I thought that by simply adding "-i br1" after the FORWARD command in each of the above lines, I could block it only on the guest (br1) network, like this:

iptables -I FORWARD -i br1 -s 111.221.74.0/24 -j DROP

However, that doesn't block it for anyone. What am I doing wrong? Thanks in advance.

P.S. As further reference, here are my pre-existing current firewall rules:

#Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

#Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#Restrict br1 from accessing br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

#Restrict br1 from accessing the WAN subnet
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP

#Restrict br1 from accessing the router's local sockets
iptables -I INPUT -i br1 -m state --state NEW -j DROP

#Allow br1 to access DHCP on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

#Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
SteveJ
  • 482
  • 1
  • 7
  • 13

2 Answers2

3

Your Skype rules are blocking traffic originating from the given IP address ranges. So the traffic is coming in on your WAN interface, not your guest bridge br1. That's why -i br1 doesn't work.

To fix this, instead block traffic to those destinations which comes in from the guest bridge. For example:

iptables -I FORWARD -i br1 -d 111.221.74.0/24 -j DROP
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
0

Blocking specific destination ip addresses is not a long term solution because these can change at any time. You should block skype's hostname *.skype.com at the dns level. You can use a dns filtering service to do this. You can force your clients to use your filtering service by capturing their dns queries and rerouting them. This can be done with the iptables commands below. Please replace guest_ip_range with the subnet and mask in CIDR format that your guests are using and replace dns_filtering_service with the dns servers of your filtering service.

iptables --table nat --append PREROUTING --in-interface br0 --source guest_ip_range -protocol tcp --dport 53 --jump DNAT --to dns_filtering_service
iptables --table nat --append PREROUTING --in-interface br0 --source guest_ip_range -protocol udp --dport 53 --jump DNAT --to dns_filtering_service
Emmanuel Mathi-Amorim
  • 101
  • 1