Iptables deny access to a specific IP address not working


I'm not able to deny access to a specific IP address or deny access to a specific IP address range as well. My network environment is, I have one router which IP is ( and second my hotspot are flashed to DD-WRT with IP ( I needed to deny access to my hotspot user to my main router which IP is or entire IP range. The command I saved in my firewall rules are list as below.

iptables -I FORWARD -d -j DROP
iptables -I FORWARD -s -j DROP

After I put this Iptables rules in my firewall I still able to get login into webgui interface. What wrong with rules?

This is is iptables -L output.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1751  129K ACCEPT     0    --  tun1   any     anywhere             anywhere            
    0     0 ACCEPT     0    --  tun0   any     anywhere             anywhere            
    1    84 ACCEPT     0    --  tun1   any     anywhere             anywhere            
 4085  444K ACCEPT     0    --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 DROP       udp  --  vlan2  any     anywhere             anywhere            udp dpt:route 
    0     0 DROP       udp  --  br0    any     anywhere             anywhere            udp dpt:route 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:route 
    0     0 DROP       icmp --  vlan2  any     anywhere             anywhere            
    0     0 DROP       igmp --  any    any     anywhere             anywhere            
    0     0 ACCEPT     0    --  lo     any     anywhere             anywhere            state NEW 
    0     0 ACCEPT     0    --  br0    any     anywhere             anywhere            state NEW 
  344 49804 DROP       0    --  any    any     anywhere             anywhere            
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  any    tun1    anywhere             anywhere            
    0     0 ACCEPT     0    --  tun1   any     anywhere             anywhere            
    0     0 ACCEPT     0    --  any    tun0    anywhere             anywhere            
    0     0 ACCEPT     0    --  tun0   any     anywhere             anywhere            
    0     0 ACCEPT     0    --  any    tun1    anywhere             anywhere            
    0     0 ACCEPT     0    --  tun1   any     anywhere             anywhere            
    0     0 DROP       0    --  any    any       
    0     0 DROP       0    --  any    any       
    0     0 ACCEPT     gre  --  any    vlan2      anywhere            
    0     0 ACCEPT     tcp  --  any    vlan2      anywhere            tcp dpt:1723 
    0     0 lan2wan    0    --  any    any     anywhere             anywhere            
    0     0 TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
    0     0 ACCEPT     0    --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     0    --  br0    br0     anywhere             anywhere            
    0     0 TRIGGER    0    --  vlan2  br0     anywhere             anywhere            TRIGGER type:in match:0 relate:0 
    0     0 trigger_out  0    --  br0    any     anywhere             anywhere            
    0     0 ACCEPT     0    --  br0    any     anywhere             anywhere            state NEW 
    0     0 DROP       0    --  any    any     anywhere             anywhere            
Chain OUTPUT (policy ACCEPT 7319 packets, 3919K bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain lan2wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 grp_1      0    --  any    any     anywhere             anywhere            
Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  any    any     anywhere             anywhere            
Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  any    any     anywhere             anywhere            
Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset 
Chain trigger_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         

This is route -n output

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface        UG    0      0        0 vlan2   U     0      0        0 vlan2       U     0      0        0 lo     U     0      0        0 br0 UGH   0      0        0 tun1 UH    0      0        0 tun1   UG    0      0        0 tun1   U     0      0        0 br0   UG    0      0        0 tun1   U     0      0        0 tun0

Jien Wai

Posted 2014-04-15T12:05:29.970

Reputation: 31

Please post the output of 'iptables -L' – Jarmund – 2014-04-15T12:11:46.913

@Jarmund update the iptables -L output – Jien Wai – 2014-04-16T01:42:54.130

There are a lot of interface specific rules with -j ACCEPT which come early in the queue, and might therefore override your additional -j DROP rules. Output of route -n is also needed to come up with something more specific. – Jarmund – 2014-04-16T06:48:41.220

@Jarmund updated route -n output. – Jien Wai – 2014-04-16T06:55:09.390



I know this question is a few months old and you may have found the solution but I wanted to give you an answer anyway. Keep in mind that FORWARD rules apply to traffic passing through the router, not to or from the router itself. To deny the traffic to your router, you need to create an INPUT rule naming the source network to drop:

iptables -I INPUT -m iprange --src-range -j DROP


Posted 2014-04-15T12:05:29.970

Reputation: 11