Firewall and incoming connections

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
daverage
DD-WRT Novice


Joined: 24 Aug 2009
Posts: 6

PostPosted: Mon Aug 24, 2009 6:57    Post subject: Firewall and incoming connections Reply with quote
Hi all.
I am a total newbie with dd-wrt, though it has sorted out a number of problems I had with my Linksys WRT54GS 5.1 !!
I have a couple of questions. Is there a place in the admin (using micro build) where I can see a list of recent incoming connections?

Also, I have no idea how to use IPTables, but I really want to be able to limit the incoming connections to just a few ip ranges (work and dads house)
Can anyone give me a few pointers?

Many thanks!!
Sponsor
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Mon Aug 24, 2009 9:39    Post subject: Re: Firewall and incoming connections Reply with quote
daverage wrote:
Is there a place in the admin (using micro build) where I can see a list of recent incoming connections?


Nope, Not possible in micro

_________________
The New Me
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon Aug 24, 2009 11:08    Post subject: Reply with quote
The firewall log isn't available in micro but there are other options. I'm not sure if it's in micro but on the status page click the active ip connections to view all connections. If it's not then you can run cat /proc/net/ip_conntrack for sure.

See the wiki article, man page, and examples all over the net for iptables. It's really not that hard for basic things if you're familiar with CLI's.

iptables -I FORWARD -m state --state NEW -j DROP
iptables -I FORWARD -s [allowed ip/mask] -j ACCEPT

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
daverage
DD-WRT Novice


Joined: 24 Aug 2009
Posts: 6

PostPosted: Mon Aug 24, 2009 11:30    Post subject: Reply with quote
Thanks, i did find the active connections link, so that was cool. Will look more into the iptables thing, if it is as simple as you suggest then great, but what I have seen means nothing to me so far lol
daverage
DD-WRT Novice


Joined: 24 Aug 2009
Posts: 6

PostPosted: Mon Aug 24, 2009 11:36    Post subject: Reply with quote
so would

iptables -I FORWARD -m state --state NEW -j DROP
Drop all incoming connections

then

iptables -I FORWARD -s 192.168.2.0/24 -j ACCEPT

Allow anything from my network internally
(all ip address start with 192.168.2.x)
daverage
DD-WRT Novice


Joined: 24 Aug 2009
Posts: 6

PostPosted: Mon Aug 24, 2009 15:07    Post subject: Reply with quote
Ok changed my needs a little.
Really all I want to block is all traffic to port 21, except for a couple of specific IPs

I think this should work, but it does not seem to do much!!

iptables -F

iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT

iptables -I INPUT -p tcp --dport 21 -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p tcp -s xx.xxx.xxx.xxx--dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xx--dport 21 -m state --state NEW -j ACCEPT
daverage
DD-WRT Novice


Joined: 24 Aug 2009
Posts: 6

PostPosted: Mon Aug 24, 2009 20:10    Post subject: Reply with quote
Urg,
Ok my network is so secure... I can not log in at all.

Had to reset it all.

Can not see why that would happen with that script, nothing there stopping all incoming traffic ?!

HELP!!
:(

Thanks
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon Aug 24, 2009 21:28    Post subject: Reply with quote
You're diving too deep too fast. You should not be trying to flush the chains and rebuild from scratch before you understand it well.

# drop all new incoming connections (doesn't match established ones)
iptables -I FORWARD -m state --state NEW -j DROP

# allow any incoming connection from this subnet
iptables -I FORWARD -s 192.168.2.0/24 -j ACCEPT


The way I wrote these rules was so that they could be dropped into existing configs without a lot of work. Even though the connections are accepted through the firewall, they still need something on the router listening or a port forwarded to a host that is listening.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
lgkahn
DD-WRT User


Joined: 01 May 2007
Posts: 228

PostPosted: Tue Aug 25, 2009 19:24    Post subject: Reply with quote
the reason you got locked out is that rules are processed in order look at your rules
iptables -I INPUT -p tcp --dport 21 -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p tcp -s xx.xxx.xxx.xxx--dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xx--dport 21 -m state --state NEW -j ACCEPT

the first rule drops all packets going to port 21

it never gets to the last two 21 rules since the first rule already matched and dropped the packet
daverage
DD-WRT Novice


Joined: 24 Aug 2009
Posts: 6

PostPosted: Mon Aug 31, 2009 17:06    Post subject: Reply with quote
Ok so I now hove
iptables -F

iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -I INPUT -m state --state NEW -j DROP

iptables -I INPUT -s 192.168.2.0/24 -j ACCEPT


#exceptions
#phone
iptables -I INPUT -s XXX -j ACCEPT
#office
iptables -I INPUT -s XXX -j ACCEPT

This seems to block incoming whilst allowing me to use the web at home but still not letting the external connections I am specifying!!
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon Aug 31, 2009 19:08    Post subject: Reply with quote
phuzi0n wrote:
You're diving too deep too fast. You should not be trying to flush the chains and rebuild from scratch before you understand it well.

You should read the man page and study the section about tables and their respective chains. That iptables -F rule (flush all chains in the filter table) is an awful thing to be doing without a firm understanding of everything you need to insert. The INPUT chain of the filter table only allows traffic destined to the router itself, not anything being forwarded to your lan. I think your exceptions are meant to be in the FORWARD chain but you're like using NAT and need to forward ports in the NAT table.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum