Posted: Sun Mar 10, 2024 20:53 Post subject: SPI Firewall Question + custom IP Tables Rules
Hello, I run my own rules (I have a complex mesh i connect some end clients on DD-WRT to) and the behavior makes so sense of DD-WRT's SPI firewall.... I have my own external rules being applied by commands that work fine 99% but i disabled the SPI firewall as it is of no use to me running my own rules, and it decides to stop remote HTTPS and SSH - lol - "WHY"?
It is not just blocked, even locally on the router its just gone totally if i try to hit it from the external port.
I see it in nvram as being on, this makes 0 sense why it act's so greedily. it should just disable addition of its own rules in iptables vs kill all external services & remove access to things it usually manages seemingly. Why is it taking the "we know best" approach ;0
Here is what i am applying via script and i want it to be authoritative per say. Here is what is is doing.
# Implied by the policy but just for clarity this is added.
iptables -A INPUT -i eth0 -j DROP
Net Effect with SPI off...
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N advgrp_1
-N advgrp_10
-N advgrp_11
-N advgrp_12
-N advgrp_13
-N advgrp_14
-N advgrp_15
-N advgrp_16
-N advgrp_17
-N advgrp_18
-N advgrp_19
-N advgrp_2
-N advgrp_20
-N advgrp_3
-N advgrp_4
-N advgrp_5
-N advgrp_6
-N advgrp_7
-N advgrp_8
-N advgrp_9
-N grp_1
-N grp_10
-N grp_11
-N grp_12
-N grp_13
-N grp_14
-N grp_15
-N grp_16
-N grp_17
-N grp_18
-N grp_19
-N grp_2
-N grp_20
-N grp_3
-N grp_4
-N grp_5
-N grp_6
-N grp_7
-N grp_8
-N grp_9
-N lan2wan
-N logaccept
-N logdrop
-N logreject
-N trigger_out
-N upnp
-A INPUT -i eth0 -p tcp -m tcp --dport 23 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 41001 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10002 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10003 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10004 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10005 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10006 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10007 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10008 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10009 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10010 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10055 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10099 -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5022 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5443 -j ACCEPT
-A INPUT -i eth0 -m limit --limit 5/min -j LOG --log-prefix IPV4_Firewall_Disallowed_Port
-A INPUT -i eth0 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j upnp
-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -d 224.0.0.0/4 -i eth0 -p udp -j ACCEPT
-A FORWARD -i eth0 -o br0 -j TRIGGER--trigger-proto --trigger-match 0-0 --trigger-relate 0-0
-A FORWARD -i br0 -j trigger_out
-A FORWARD -i eth0 -o eth1 -j TRIGGER--trigger-proto --trigger-match 0-0 --trigger-relate 0-0
-A FORWARD -i eth1 -j trigger_out
-A FORWARD -i eth1 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o ath0 -j TRIGGER--trigger-proto --trigger-match 0-0 --trigger-relate 0-0
-A FORWARD -i ath0 -j trigger_out
-A FORWARD -i ath0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o ath1 -j TRIGGER--trigger-proto --trigger-match 0-0 --trigger-relate 0-0
-A FORWARD -i ath1 -j trigger_out
-A FORWARD -i ath1 -m state --state NEW -j ACCEPT
-A FORWARD -i br0 -m state --state NEW -j ACCEPT
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A logreject -p tcp -j REJECT --reject-with tcp-reset
Why is is adding all of these un-needed rules + also why is remote access not working just from killing packet inspection, i can not telnet to these ports (5443 and 5022) external, but i can ping ;0 lol it decides to use the ICMP rule at least. I cannot win, if i enable it, it messes up my rules even if i do an insert vs append, i turn it off, my rules work but it kills remote access. SMH ;0 ? #help
Posted: Mon Mar 11, 2024 2:11 Post subject: update - Post Fiddling
So i tried everything i read on the forums, ref multicast being an issue, i killed every rule it created, nothing worked. IT had the NAT redirect rules in place, none of them work..... YET i port forward the same ports, it adds two more rules , THIS works. Going out on a limb here... something is broken with DD-WRT and SPI ;0
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Mar 11, 2024 7:24 Post subject:
First...when you have a question tell us build number and router model, as it make things more clear...
Second looking at your config output...i can see you are running an old build...so update reset and
manually reconfigure...do not load the save file from a different builds..
Disabling SPI firewall always comes with caveats..
Using A instead of I will put rules in a different order...so be careful what you use..
Default IP tables rules cannot be taken down...
In general SPI firewall works ok and you dont need to purge rules and set default policy to DROP as they are already pre set in their own way...
Finally make sure your rules follow the correct syntax...
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913