My fixtables was prepared for this glorious moment and will then disable its own version of iptables in /opt/usr/sbin
It will protect all your incoming telnet/SSH/FTP/VNC/RDP connections automatically using this module.
Although my rc_firewall only contains this for my INPUT chain:
Here's the complete INPUT chain. I enhanced the startup scripts for pound, asterisk and lighttpd to automatically add the appropriate rules in INPUT and DNAT.
# iptables-save | grep INPUT
Code:
:INPUT ACCEPT [6070754:995817080]
:INPUT ACCEPT [0:0]
-A INPUT -i vlan2 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -i vlan2 -p udp -m udp --dport 5060 -j asterisk_ban
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -p udp -m udp --dport 520 -j DROP
-A INPUT -i br0 -j ACCEPT
-A INPUT -i vlan2 -p tcp -m tcp --dport 443:446 -j world
-A INPUT -i vlan2 -p tcp -m tcp --dport 8080 -j china
-A INPUT -i vlan2 -p udp -m udp --dport 5060 -j world
-A INPUT -i vlan2 -p udp -m udp --dport 520 -j DROP
-A INPUT -p udp -m udp --dport 520 -j ACCEPT
-A INPUT -d 192.168.10.1 -p tcp -m tcp --dport 88 -j logaccept
-A INPUT -i vlan2 -p tcp -m tcp --dport 22 -j bruteprotect
-A INPUT -d 192.168.10.1 -p tcp -m tcp --dport 22 -j logaccept
-A INPUT -i vlan2 -p icmp -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -i vlan2 -p icmp -j DROP
-A INPUT -i vlan2 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -i vlan2 -p udp -m udp --dport 12000:13000 -j ACCEPT
-A INPUT -d 192.168.10.1 -i vlan2 -p tcp -m tcp --dport 446 -j ACCEPT
-A INPUT -d 192.168.10.1 -i vlan2 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d 192.168.10.1 -i vlan2 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p igmp -j logdrop
-A INPUT -d 239.255.255.0/255.255.255.0 -i vlan2 -p udp -m udp --dport 1900 -m limit --limit 10/min --limit-burst 15 -j logaccept
-A INPUT -j logdrop
This is where 'bruteprotect' comes in:
# iptables-save | grep brute
_________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Joined: 22 Oct 2009 Posts: 157 Location: North East - USA
Posted: Sun Dec 19, 2010 15:19 Post subject:
Testing 15940 on an RT-N12 in mixed AP mode (WAN disabled). It has been stable and good performer so far. _________________ WNR3500L DD-WRT-18730-Kong Gateway/Firewall/NAS
WRT54G-TM DD-WRT-14929 Mega (heatsink + 250MHz oc)
WHR-G300N DD-WRT-20548(external antennas)
2x E2000 Tomato-Toastman 0501.2 AP (external antennas)
TEW-652BRP Gargoyle 1.5.9 Client Bridge (antenna upgrade + heatsinks + ventilation)
Joined: 18 Feb 2007 Posts: 87 Location: Bern, Switzerland
Posted: Mon Dec 20, 2010 19:21 Post subject:
I've installed the new build on my E3000 (Router and AP) and E2000 (Client Bridge). It has been working fine now for 44 hours. Problems from previous releases are gone, especially the local loopback/ port forwarding issue (with the new release I removed the iptables fix) and PPTP server. _________________ Deployed:
Buffalo WZR-1750 - v3.0-r38580M kongac (02/05/19) - Router
Buffalo WZR-1750 - v3.0-r38580M kongac (02/05/19) - Client Bridge
Buffalo WZR-1750 - v3.0-r38100M kongac (12/27/18) - Router
Linksys WRT320 -> E2000 - v3.0-r33772 K30 mega (11/16/17) - Client Bridge
Sash has been doing a lot of work on OpenVPN and those changes have made it into this firmware.
It has made it possibly a little easier to implement and manage an OpenVPN setup using only the gui. _________________ D-Link DIR-300
Asus RT-N16
Asus WL-500gPv2
Linksys WRT54GL 1.1
Way too much time.
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Tue Dec 21, 2010 0:25 Post subject:
lupine wrote:
Sash has been doing a lot of work on OpenVPN and those changes have made it into this firmware.
It has made it possibly a little easier to implement and manage an OpenVPN setup using only the gui.
And you make me wish I had more of a need of OpenVPN. Once upon a time I did, but these days I just use SSH. Meh, maybe I can come up with a scenario to use it. _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
Upgraded my RT-N16. I will post performance and reliability results later.
This build has given me the best reliability and performance of any build so far. No wireless dropouts, USB works perfectly, p910nd print server works great. I use Asterisk on my system and with previous builds I saw the RAM continuously being hogged by Asterisk (e.g. day 1 after restart, RAM would be at 15.4 percent idle usage for Asterisk. Two days later I would see Asterisk at 28 percent idle usage.) This has been fully resolved with this build. I see the RAM usage staying the same at 15.4 percent idle. The best build so far for the Asus RT-N16.
scratch everything I said about build 15940. I just experienced some severe problems. My Asterisk software just randomly stopped communicating with my softphone, I couldn't get into SSH, and couldn't use my print server. I'm not sure what happened but this build is not reliable at all. Especially when I noticed I could browse the web but not use my softphone or SSH. Reverting all the way back to 13527 K26.
...this one is the first that supports the 'recent method' in iptables.
I was also looking to take advantage of this feature. Upgraded from 15508 to 15943 (this was the closest build that was also available for the E3000; only a couple of minor modifications from 15940).
I reconfigured the router, set up Optware again. I don't use Asterisk myself, so I can't comment about that, but all of the features I use seem to be working wonderfully (dual band-wifi, iptables, isolated vlans with internet connectivity).