Bib DD-WRT Guru
Joined: 07 Jul 2008 Posts: 629 Location: France
|
Posted: Sun Apr 12, 2015 15:31 Post subject: Knowing better dd-wrt (Firewall) |
|
Hi
I brought to my daughter a dd-wrt 14896 good old Linksys wrt54gl1.1 that works very fine as a Wireless Access Point. This to replace the crapy wifi in the ISP dsl box. As the dhcp server is spartan too, I disabled it and enabled it in dd-wrt:
The dsl box only keeps the NAT and ports forward.
I need ssh access to the .1 linux machine, but as I can't select allowed sources IPs for the port forwards in the dsl box I made a home made set of iptables rules in the dd-wrt:
Code: |
iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 1 packets, 244 bytes)
num pkts bytes target prot opt in out source destination
1 1545K 221M ACCEPT 0 -- * * 0.0.0.0/0 192.168.1.253 state RELATED,ESTABLISHED
2 67 22066 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 state NEW
3 186K 11M ACCEPT tcp -- * * My.Own.IP.addr 192.168.1.253 multiport dports 22,443 tcp flags:0x17/0x02 state NEW
4 0 0 ACCEPT tcp -- * * 192.168.1.0/24 192.168.1.253 multiport dports 22,80,443 tcp flags:0x17/0x02 state NEW
5 2 118 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
6 3 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW
7 55 5822 logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 8 packets, 480 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1669K packets, 293M bytes)
num pkts bytes target prot opt in out source destination
...
Chain logdrop (1 references)
num pkts bytes target prot opt in out source destination
1 55 5822 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
|
As you see above I set the FORWARD chain to -P DROP, assuming the all 5 ports behind the Linksys is now a switch. The dropped packets in FORWARD chain are when I try to ssh machine ".1" from my own home (i.e from the wan) and in fact I'm locked out until I iptables -P FORWARD ACCEPT in the WAP. All my other settings are the recommended ones (router mode, routing disabled, wan disabled...). I set iptables -P FORWARD DROP because I saw many unreplied DNS, HTTP & HTTPS queries (which are the protocols I allowed for WAP access) entries in conntrack from wireless devices to WAN, and so I thought this would spoil/flood the dsl router with sort of DUPs packets, first ones direct through the switch plus for each a twin brother resent from the Linksys.
I contributed the WAP wiki a bit and also the whole WAP firewall section, but now I feel I should never more dare advising anything anyone, like years of learning were zeroed.
Thanks for reading and any track to point my mistake/confusion.
PS: some conf from the Linksys:
Code: | brctl show
bridge name bridge id STP enabled interfaces
br0 8000.00226bxxxxxX no vlan0
eth1
vlan1
ifconfig
br0 Link encap:Ethernet HWaddr 00:22:6B:xx:xx:xX
inet addr:192.168.1.253 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2623527 errors:0 dropped:0 overruns:0 frame:0
TX packets:1792610 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:833118155 (794.5 MiB) TX bytes:339659045 (323.9 MiB)
br0:0 Link encap:Ethernet HWaddr 00:22:6B:xx:xx:xX
inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
eth0 Link encap:Ethernet HWaddr 00:22:6B:xx:xx:xX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2602872 errors:0 dropped:0 overruns:0 frame:0
TX packets:2381612 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1056632894 (1007.6 MiB) TX bytes:497727779 (474.6 MiB)
Interrupt:4
eth1 Link encap:Ethernet HWaddr 00:22:6B:xx:xx:xZ
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:406469 errors:0 dropped:0 overruns:0 frame:1348795
TX packets:592310 errors:293 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:40800799 (38.9 MiB) TX bytes:729971700 (696.1 MiB)
Interrupt:2 Base address:0x5000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:8731 errors:0 dropped:0 overruns:0 frame:0
TX packets:8731 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:976532 (953.6 KiB) TX bytes:976532 (953.6 KiB)
vlan0 Link encap:Ethernet HWaddr 00:22:6B:xx:xx:xX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13061 errors:0 dropped:0 overruns:0 frame:0
TX packets:33251 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1239867 (1.1 MiB) TX bytes:19460036 (18.5 MiB)
vlan1 Link encap:Ethernet HWaddr 00:22:6B:xx:xx:xX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2589819 errors:0 dropped:0 overruns:0 frame:0
TX packets:2348368 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1008542469 (961.8 MiB) TX bytes:467520102 (445.8 MiB)
|
Description: |
Tweaked the genuine picture from the wiki |
|
Filesize: |
34.13 KB |
Viewed: |
2274 Time(s) |
|
_________________ ): FoReVeR nEwB |
|