Advance firewall rules

[michael249478]

Hello

I have sereval subnet on my asus merlin router

Wan 192.168.0.0/24 | 0.0.0.0
Lan 192.168.1.0/24
Iot (Wifi) 192.168.2.0/24
Guest(Wifi) 192.168.3.0/24

The actuel config page "Advanced_Firewall_Content.asp" allow only a whitelist or blacklist and all rules are apply to Lan interface.

I would like to have a configuration interface to permit more custom rules, for examples:

RuleNumber	SRC	SRC_PORT	DEST	DEST_PORT	PROTO	ACTION
1	192.168.1.0/24	*	*	*	*	ACCEPT
2	192.168.2.0/24	*	192.168.1.1/24	8888	TCP	ACCEPT
3	192.168.2.0/24	*	192.168.0.0/16	*	*	DROP
4	192.168.2.0/24	*	*	*	*	ACCEPT
5	192.168.3.0/24		192.168.0.0/16			DROP
6	192.168.3.0/24	*	*	*	*	ACCEPT

I am a newbe to the asp language, but a already make a scripts in php, python...

I was able to make a copy of Advanced_Firewall_Content.asp to user20.asp, and to do some change to this GUI to change the layout and a fields like ACTION, RuleNumber.
But i dont understand how to apply the rules:

I see the rules are store on "filter_lwlist_array" nvram variable
I see the from is submit by "start_apply.htm"

But i don't see in "start_apply.htm", how to write a data to nvram and how to generate iptables rules


I someone can help me

Thanks in advance for the help

 

[ColinTaylor]

None of those Wi-Fi subnets are normal for Merlin's firmware. If you're using an addon script or the experimental 3006 firmware you should post your question in the relevant thread.

 

[ZebMcKayhan]

I'm not sure that is the right way to go, but I like the idea. I would also like the source and destination interfaces as free-text unless selectable from drop down list.
I would assume the webpage somehow gets the info into nvram but this is sparse. I would also assume some firewall.c file to be parsing this and apply to firewall whenever firewall is restarted. Changing the content meaning of the nvram variables may require you to change more places. Possibly recompile the firmware.

Instead, what if let your replacement webpage place your firewall rules in a script file under /jffs/scripts and use the firewall-start hook script to apply your custom rules whenever firewall is restarted. The webpage could restart firewall whenever you have written new rules.
There are many reference to similar work in the addons section. Yazfi for example:
https://github.com/jackyaz/YazFi

 

[bennor]

@michael249478, it would likely help others if you include your router model, firmware version installed and any other add-on scripts you are running (assuming you are running the Asus-Merlin firmware). It is possible suggestions may vary depending on router, firmware and add-on scripts used.

PS: While one may be able to write custom IPTables rules it is also possible those custom rules might not survive router reboot or restart without additional scripting.

And you may want to move your question to the Add-ons subforum since it appears you are asking how to create a add-on script and web page for the existing firmware.

 

[michael249478]

Good morning
Thank you for your feedback and help

I have the firewall axe16000 with the firmware 3004.388.7_0_rog.

To answer the question on the subnet, those I have given are for examples, in reality they are indeed those of the Guest network interfaces.

For the script part, I actually I have initially implemented iptables commands in the file/jffs/scripts/firewall-start.
The target is not to replace the Advanced_Firewall_Content.asp configuration, but add an additional asp page to define Firewall rules, between the different subnets on the Iptable forward part from the webui.

I thought it would be enough to create an ASP file which sends the contents of the IPTable rules to the Start_Apply.htm page, so that the firmware records the IPTable rules, but it would seem that it is not so simple.

Does it possible to execute nvram commands from ASP pages?
If so, maybe store the configuration of the rules in the nvram from the asp page.
And a script reads the content of the nvram and generate the iptables rules during the restart of the firewall part

Thanks in advance

 

[ZebMcKayhan]

I thought it would be enough to create an ASP file which sends the contents of the IPTable rules to the Start_Apply.htm page, so that the firmware records the IPTable rules, but it would seem that it is not so simple

I'm not sure that you can, but even if you can, for the iptables commands to be executed at boot they need to be in firewall-start.
The firmware sometimes wipes all firewall rules and rebuilds them, in these cases these also needs to be re-applied which happens in firewall-start.
The firewall iptables rules are not persistent.
My 10 cents is to have your page create a sh file with the commands, and possibly another for easy storage of web page content. Have firewall-start check existence of this file, and if it exists, execute it to have your rules applied/re-applied.