i need a very simple filter, and i'm beginning crazy!


[root@Router root]$ more /usr/local/sbin/post-firewall
#!/bin/sh
iptables -I INPUT -s 192.168.1.94 -d 192.168.1.2 -j DROP
iptables -I FORWARD -s 192.168.1.94 -d 192.168.1.2 -j DROP
wshaper start "$1" 1000 220

I tried with only the FORWARD statement, then with both... so I tried with the A (append) INPUT and FORWARD.
i tried also this filter:


iptables -I FORWARD -s 192.168.1.94 -p tcp --dport 8080 -j DROP

of course I typed the 3 commands to commit changes and reboot the router, nothing... these iptables entry doens't work: the connection doesn't drop.
ps: the router has the last oleg firmware. with iptables - L -v I see the entries like they have to be

I guess what you are trying to do is to avoid one host on your LAN (192.168.1.94) reaching another host on the same LAN (192.168.1.2), right?

Why don't you post your routing table? (iptables -L -n --line-numbers)

iptables -L -v -n --line-number
Chain INPUT (policy ACCEPT 3753 packets, 272K bytes)
num pkts bytes target prot opt in out source destination
1 2354 156K MACS all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 257K packets, 60M bytes)
num pkts bytes target prot opt in out source destination
1 34857 16M MACS all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 118K packets, 10M bytes)
num pkts bytes target prot opt in out source destination

Chain MACS (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
2 0 0 DROP all -- br0 br0 192.168.1.94 192.168.1.2

Chain SECURITY (0 references)
num pkts bytes target prot opt in out source destination

Chain logaccept (0 references)
num pkts bytes target prot opt in out source destination

Chain logdrop (0 references)
num pkts bytes target prot opt in out source destination


this, for example...
from input and forward chains the rules match and the packet counter increments, but in chain MACS the both 2 rules dont work...

yes tamadite, I want toblock a pc to connect with another (i tried also with -m mac --mac-source option, nothing)

The router is to route traffic between networks in other words the router does not act on packets within the same network therefore you can not impede one host on your LAN (192.168.1.94) reaching another host on the same LAN (192.168.1.2). To do this you have to manipulate the arp table on the host.

If you really want to use the router to route traffic within your LAN you can make use of VLANs and assign one VLAN per port in the switch. This will reduce the efficiency of your LAN since all traffic will be "managed" by the router. More info: http://wl500g.info/showthread.php?t=1718&highlight=vlan
In general terms, I would personally go for manipulating the ARP table.