|
|
| Author |
Message |
Denna
DD-WRT User
Joined: 16 Sep 2016
Posts: 101
|
 Posted: Thu Oct 06, 2016 22:23 Post subject: Firewall Rules |
 |
I'm looking for comments on the firewall rules below that were created with Firewall Builder 5.1.
Topology
Clients connect to the router via Ethernet.
The router connects to a hotspot for Internet access via a media bridge (WAN to Wifi AC1750).
Wireless is disabled on the router.
Legend
dd-wrt is the router.
192.168.1.0/255.255.255.0 are the Ethernet clients.
DNSCrypt_Hosts is a group of IP addresses for DNSCrypt hosts.
NTP_Pool is a group of IP addresses for NTP hosts
Proxy_Hosts is a group of Squid hosts
Questions
1) On this router, "eth0" is the WAN port, correct ?
2) On Rule 1, is the "lo" Interface the correct choice for localhost access on the router ?
3) For Rules 1 - 12, should the router and Ethernet clients specify "Both" for the Direction field ?
4) For Rule 12, should the Service field be set to "ssh" only since HTTP/S is already specified for Rule 6 ?
5) For those who use Firewall Builder, how do you specify the "lo" IP address or MAC address ? The firewall can't be compiled until this is added.
6) For Rules 10 - 11, are the Direction fields correct ?
7) Should any other rules be added ?
8) Should any of the rules be corrected ?
_________________
Asus RT-AC88u running DD-WRT 12-15-2016-r30949 |
|
| Back to top |
 
|
 |
Sponsor
|
|
|
Per Yngve Berg
DD-WRT Guru
Joined: 13 Aug 2013
Posts: 6870
Location: Romerike, Norway
|
| Posted: Fri Oct 07, 2016 9:28 Post subject: |
|
1) `get_wanface` with the quotes will always resolve to the wan interface.
Example: IPTABLES -I FORWARD -i `get_wanface` -J DROP |
|
| Back to top |
|
|
Denna
DD-WRT User
Joined: 16 Sep 2016
Posts: 101
|
| Posted: Sat Oct 08, 2016 11:35 Post subject: |
|
Per Yngve Berg,
Thanks for the reply.
The firewall rules haven't been uploaded yet.
When I ran that in the Commands tab, the following was returned.
sh: eval: line 1: IPTABLES: not found
_________________
Asus RT-AC88u running DD-WRT 12-15-2016-r30949 |
|
| Back to top |
|
|
Alozaros
DD-WRT Guru
Joined: 16 Nov 2015
Posts: 6447
Location: UK, London, just across the river..
|
| Posted: Sat Oct 08, 2016 12:18 Post subject: |
|
IPTABLES -I FORWARD -i `get_wanface` -J DROP
i guess it may be cap sensitive
try
iptables -I FORWARD -i `get_wanface` -J DROP
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913 |
|
| Back to top |
|
|
Denna
DD-WRT User
Joined: 16 Sep 2016
Posts: 101
|
| Posted: Sat Oct 08, 2016 18:39 Post subject: |
|
Alozaros,
It was case sensitive.
However, a new error appears.
_________________
Asus RT-AC88u running DD-WRT 12-15-2016-r30949 |
|
| Back to top |
|
|
Per Yngve Berg
DD-WRT Guru
Joined: 13 Aug 2013
Posts: 6870
Location: Romerike, Norway
|
| Posted: Sat Oct 08, 2016 19:17 Post subject: |
|
| Lowercase -j |
|
| Back to top |
|
|
h8red
DD-WRT Guru
Joined: 28 Jun 2011
Posts: 580
Location: Vilnius, Lithuania
|
| Posted: Sat Oct 08, 2016 19:17 Post subject: |
|
Save firewall, not startup
_________________
[Ramips] Nexx WT3020F Openwrt @kernel #4.14.167 (OpenVPN server, Wireguard server, AD blocking, SQM QOS, USB) |
|
| Back to top |
|
|
Denna
DD-WRT User
Joined: 16 Sep 2016
Posts: 101
|
| Posted: Sun Oct 09, 2016 16:26 Post subject: |
|
Per Yngve Berg,
In the Administration\Command field and with Putty, an error wasn't generated but neither was a result.
Was it supposed to return a result ?
_________________
Asus RT-AC88u running DD-WRT 12-15-2016-r30949 |
|
| Back to top |
|
|
Per Yngve Berg
DD-WRT Guru
Joined: 13 Aug 2013
Posts: 6870
Location: Romerike, Norway
|
| Posted: Sun Oct 09, 2016 21:26 Post subject: |
|
No.
The rile will be present in the list.
Iptables -L |
|
| Back to top |
|
|
Denna
DD-WRT User
Joined: 16 Sep 2016
Posts: 101
|
| Posted: Mon Oct 10, 2016 16:37 Post subject: |
|
Per Yngve Berg,
After running the two commands, below is the output.
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP 0 -- anywhere anywhere
DROP 0 -- anywhere anywhere
DROP 0 -- anywhere anywhere
DROP 0 -- anywhere anywhere
DROP 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain advgrp_1 (0 references)
target prot opt source destination
Chain advgrp_10 (0 references)
target prot opt source destination
Chain advgrp_2 (0 references)
target prot opt source destination
Chain advgrp_3 (0 references)
target prot opt source destination
Chain advgrp_4 (0 references)
target prot opt source destination
Chain advgrp_5 (0 references)
target prot opt source destination
Chain advgrp_6 (0 references)
target prot opt source destination
Chain advgrp_7 (0 references)
target prot opt source destination
Chain advgrp_8 (0 references)
target prot opt source destination
Chain advgrp_9 (0 references)
target prot opt source destination
Chain grp_1 (0 references)
target prot opt source destination
Chain grp_10 (0 references)
target prot opt source destination
Chain grp_2 (0 references)
target prot opt source destination
Chain grp_3 (0 references)
target prot opt source destination
Chain grp_4 (0 references)
target prot opt source destination
Chain grp_5 (0 references)
target prot opt source destination
Chain grp_6 (0 references)
target prot opt source destination
Chain grp_7 (0 references)
target prot opt source destination
Chain grp_8 (0 references)
target prot opt source destination
Chain grp_9 (0 references)
target prot opt source destination
Chain lan2wan (0 references)
target prot opt source destination
Chain logaccept (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT 0 -- anywhere anywhere
Chain logbrute (0 references)
target prot opt source destination
0 -- anywhere anywhere recent: SET name: BRUTEFORCE side: source
RETURN 0 -- anywhere anywhere !recent: UPDATE seconds: 60 hit_count: 4 name: BRUTEFORCE side: source
RETURN 0 -- anywhere anywhere limit: avg 1/min burst 1
LOG 0 -- anywhere anywhere LOG level warning tcp-options ip-options prefix `[DROP BRUTEFORCE] : '
DROP 0 -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
LOG 0 -- anywhere anywhere state INVALID LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP 0 -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `WEBDROP '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
Chain trigger_out (0 references)
target prot opt source destination
I don't see anywhere where ports are noted.
_________________
Asus RT-AC88u running DD-WRT 12-15-2016-r30949 |
|
| Back to top |
|
|
|
