Posted: Sun May 21, 2017 12:50 Post subject: Re: WRT1200AC v2 - iptables issue
d0ug wrote:
All that said, I still dont think this is really necessary to keep from being infected by wannacry. By default the router already blocks all incoming traffic unless you have specifically opened a port in the port forwarding. About all this would protect against is if one of your machines became infected from reaching out though the internet to infect others.
One caveat if you still have upnp enabled, something might be able to open a port without your knowledge. You already have upnp disabled right? Even with these iptabes drop commands enabled and upnp enabled there is no telling how the router is actually handling the upnp requests internally. It could be issuing iptables commands that would just overwrite what you have specified. So its probably best to keep upnp disabled.
I work in IT Security, so I get the principles. I do have UPnP disabled and most of the other unneeded services, but the NetBIOS & SMB ports blocked were only a fraction of the ones I am intending to block for my router, I just used it as an example.
EDIT: Well, that was unexpected. So removing "all" and replacing it with "tcp" works, even though I saw in the documentation that "all" would work. Strange... I'll post updates soon, just had a baby so it will be a few days. I'll hopefully get my script to run in the firewall rules section.
Quick question though, someone mentioned updating iptables on my router via USB, is there a link on how to do that exactly?
I figured out that while some people and some documentation says that "-p all" or "-p 0" works, neither does. I figured out by trial and error that only "-p tcp" and "-p udp" works so if you wanted to block both tcp/udp incoming packets on a port or port range you have to copy/paste the code twice, one saying tcp the other saying udp. It's kind of lame as it's double the code, but it works now.