How do I configure iptables in DD-WRT to block Skype on br1 only?

SteveJ asked:

Using DD-WRT on a Linksys router, I’ve got a private network set up as br0 and a guest network set up as br1.

I want to block access to Skype on only the guest network, and the easiest way I’ve seen to block Skype is to block access to their authentication servers.

I’m able to successfully block access to Skype for EVERYONE connecting to the router by adding the following firewall rules:

iptables -I FORWARD -s 111.221.74.0/24 -j DROP
iptables -I FORWARD -s 111.221.77.0/24 -j DROP
iptables -I FORWARD -s 157.55.130.0/24 -j DROP
iptables -I FORWARD -s 157.55.235.0/24 -j DROP
iptables -I FORWARD -s 157.55.56.0/24 -j DROP
iptables -I FORWARD -s 157.56.52.0/24 -j DROP
iptables -I FORWARD -s 194.165.188.0/24 -j DROP
iptables -I FORWARD -s 195.46.253.0/24 -j DROP
iptables -I FORWARD -s 213.199.179.0/24 -j DROP
iptables -I FORWARD -s 63.245.217.0/24 -j DROP
iptables -I FORWARD -s 64.4.23.0/24 -j DROP
iptables -I FORWARD -s 65.55.223.0/24 -j DROP

So I thought that by simply adding “-i br1” after the FORWARD command in each of the above lines, I could block it only on the guest (br1) network, like this:

iptables -I FORWARD -i br1 -s 111.221.74.0/24 -j DROP

However, that doesn’t block it for anyone. What am I doing wrong? Thanks in advance.

P.S. As further reference, here are my pre-existing current firewall rules:

#Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

#Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#Restrict br1 from accessing br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

#Restrict br1 from accessing the WAN subnet
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP

#Restrict br1 from accessing the router's local sockets
iptables -I INPUT -i br1 -m state --state NEW -j DROP

#Allow br1 to access DHCP on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

#Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

My answer:


Your Skype rules are blocking traffic originating from the given IP address ranges. So the traffic is coming in on your WAN interface, not your guest bridge br1. That’s why -i br1 doesn’t work.

To fix this, instead block traffic to those destinations which comes in from the guest bridge. For example:

iptables -I FORWARD -i br1 -d 111.221.74.0/24 -j DROP

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.