iptables startup script filtering trouble

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
ALix
DD-WRT Novice


Joined: 08 Apr 2012
Posts: 3

PostPosted: Sun Apr 08, 2012 7:40    Post subject: iptables startup script filtering trouble Reply with quote
Hi!
I have ASUS RT-N16 with dd-wrt.v24-14929_NEWD-2_K2.6_mini_RT-N16.trx
And I'm faced some strange issue with iptable filter by
Code:
-d domenname.com
parameter placed in the startup script.
Ok, I need to grand access to one of my LAN's (br1) to only one domen name (dd-wrt.com in the example). Here is my short (working) example firewall startup script:
Code:

#!/bin/sh
IPTABLES="/usr/sbin/iptables"
INET_IP="`nvram get wan_ipaddr`"
INET_IFACE="vlan2"
INET_BROADCAST="211.138.78.67"
RTM_IP="192.168.1.1"
RTM_IP_RANGE="192.168.1.0/24"
RTM_IFACE="br0"
SAB_IP="192.168.2.1"
SAB_IP_RANGE="192.168.2.0/24"
SAB_IFACE="br1"
LO_IP="127.0.0.1"
LO_IFACE="lo"

#
#RESET OLD RULES
#

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

#DEFAULT POLICY

$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#FORWARD POLICY

$IPTABLES -A FORWARD -i $RTM_IFACE -j ACCEPT

#RESTRICT ACCESS TO ONLY ONE DOMEN

$IPTABLES -A FORWARD -p tcp -i $SAB_IFACE -d dd-wrt.com --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#ICMP FROM INSIDE
$IPTABLES -A FORWARD -p ICMP -i $RTM_IFACE -j icmp_packets
$IPTABLES -A FORWARD -p ICMP -i $SAB_IFACE -j icmp_packets

# NAT
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

After router reboot all work fine.
But when I try to apply my final work version of the firewall script this line don't work
$IPTABLES -A FORWARD -p tcp -i $SAB_IFACE -d dd-wrt.com --dport 80 -j ACCEPT
and the rule didn't appears in the iptables -vnL list.
Here's final firewal version:
Code:

#!/bin/sh
IPTABLES="/usr/sbin/iptables"
INET_IP="`nvram get wan_ipaddr`"
INET_IFACE="vlan2"
INET_BROADCAST="213.138.78.67"
RTM_IP="192.168.1.1"
RTM_IP_RANGE="192.168.1.0/24"
RTM_IFACE="br0"
SAB_IP="192.168.2.1"
SAB_IP_RANGE="192.168.2.0/24"
SAB_IFACE="br1"
LO_IP="127.0.0.1"
LO_IFACE="lo"

#
#RESET OLD RULES
#

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

#
#DEFAULT POLICY
#

$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

#
# Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets


#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets


#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3389 -j allowed

#
# UDP ports
#

$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT


#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
--destination-port 67:68 -j DROP


#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT



#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $RTM_IFACE -s $RTM_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $SAB_IFACE -s $SAB_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $RTM_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $SAB_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $RTM_IFACE --dport 67 --sport 68 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $SAB_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
#$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
#$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


#
# Accept the packets we actually want to forward
#

#
# TransMarket ACCEPT RULES
#
$IPTABLES -A FORWARD -p tcp --dport 21 -i $RTM_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $RTM_IFACE -j ACCEPT

#
# SABMILLER RESTRICTION
#
$IPTABLES -A FORWARD -p tcp -i $SAB_IFACE -d dd-wrt.com --dport 80 -j ACCEPT

# ALL for ALL
#$IPTABLES -A FORWARD -i $RTM_IFACE -j ACCEPT
#$IPTABLES -A FORWARD -i $SAB_IFACE -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d 192.168.1.145 --dport 3389 -j ACCEPT -s 99.99.99.99


#ICMP FROM INSIDE
$IPTABLES -A FORWARD -p ICMP -i $RTM_IFACE -j icmp_packets
$IPTABLES -A FORWARD -p ICMP -i $SAB_IFACE -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "


#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets


#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $RTM_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $SAB_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT


#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "


#
# NAT
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP


#
# PORT RIDERECT
#

$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 33889 -j DNAT --to-destination 192.168.1.145:3389

Can somebody tell me what I'm doing wrong?
Thank you!
Sponsor
ALix
DD-WRT Novice


Joined: 08 Apr 2012
Posts: 3

PostPosted: Sun Apr 08, 2012 7:51    Post subject: Reply with quote
Or maybe I should use something else instead of iptables to complete this task?
ALix
DD-WRT Novice


Joined: 08 Apr 2012
Posts: 3

PostPosted: Sun Apr 08, 2012 8:10    Post subject: Reply with quote
Looks like it's DNS related issue, because when I put ip-address of my domen all works fine.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum