Goal: To block UDP traffic to devices on LAN-side of this gateway (using dd-wrt firmware), that communicate with internet and each other, to test specific communications applications running on each device.
Exceptions: allow the bare minimum UDP needed to support basic network operations for these devices to continue communicating (eg: via TCP) with internet and each other.
What I've tried so far:
Added rules (via SSH session) on this router/gateway:
iptables -I FORWARD -p udp -j DROP
iptables -I INPUT -p udp -j DROP
Observed (what's working well):
- The rule
iptables -I FORWARD -p udp -j DROP successfully blocks devices on LAN-side from communicating via UDP with devices on WAN-side, as verified by inability to communicate between these devices with utility ncat -u.
Observed (what's not working):
- Devices on LAN-side can communicate with each other, using UDP:
- On device-1 (on LAN-side):
ncat -lvu # launch ncat listener using UDP on default port 31337
- On device-2 (on LAN-side):
ncat -vu <ip-addr-device-1> # launch ncat caller using UDP on default port 31337
Expectation (desired outcome):
- ncat caller on device-2 unable to communicate using UDP to ncat listener on device-1.
- ncat caller on device-2 able to communicate using TCP to ncat listener on device-1, by not using ncat param
-u.
Additional info:
- Using command
iptables -I INPUT -p udp -j DROP impacts too much other communication, but used anyways, to demonstrate ineffectiveness of this rule in preventing UDP communicaiton between these two devices.
- Using hardware: tp-link AC1750 (Archer C7 v5)
- Using firmware: dd-wrt, with setting "Operating Mode = Gateway"
- Devices behind gateway are UWP, iOS, Android. Examples given here using UWP (Windows 10) devices.
- I've seen How do I block UDP while still allowing outbound UDP connections with iptables?, but doesn't appear effective in my case, as demonstrated by trying
iptables -I INPUT -p udp -j DROP.
