ASUS AC68U and iptables ...

[Alex Tiedemann]

Hi,

I've installed Asuswrt-Merlin 378.55 on my Asus AC68U router and it looks very good, lots of interesting ways of configuring the router.

Have installed pytty as well, to be able to manualy add rules with iptables via the SSH interface and looks like i managed that part ok, but when i reboot the router, alle the rules are gone, they are not saved.

Tried saving the changes with "iptables-save", and to dump the data to a file ("iptables-save > /jffs/scripts/iptables"), where i can see a list of all the rules i added.

Seems like the rules are added ok, when i use "iptables -L -n --line-numbers" i see all the rules.

They are just not saved.

I know some of those rules can be added via the GUI in "Firewall/Network Services Filter" but that does not give me the possibility to ad a rule with a protocol only, without a port.

Is it possible to save rules added with iptables via the SSH interface so they are active when rebooting the router?

--
Kind regards,

Alex T.

 

[mstombs]

https://github.com/RMerl/asuswrt-merlin/wiki/User-scriptshttps://github.com/RMerl/asuswrt-merlin/wiki/User-scriptsUser scripts

 

[Alex Tiedemann]

Hi,

Thank you mstombs, will have a look at the link with user scripts.

Actually just dumped the data to /jffs/scripts/iptables because i saw that path mentioned in another post.
Then moved the iptables file to the harddrive connected to the usb 3 port.

--
Kind regards,

Alex T.

 

[Alex Tiedemann]

Hi,

Have managed to get so far, that the script can run when i manualy
execute it (sh iptables_kiwi), without any errors.

Used the Windows software TextPad and saved the script-file as
UNIX with ANSI code, without any extensions, just as "iptables_kiwi".

Also made the file executable:

"
-rwxrwxrwx 1 Jabuka root 10502 Thu Jul 23 17:01:23 2015 iptables_kiwi
"

But it doesn't run when the router is booting.
I don't see the file "/tmp/mnt/BoxDisk/Alex/iptables_kiwi_active" either (see below).

Went to the Administration panel in the router GUI and made sure the
jffs partion is on, and it is, then i set it to be formated at reboot just to have a clear partition.

Any hints ?

It looks like this:

# --- Script Start ---
#!/bin/sh

touch /tmp/mnt/BoxDisk/Alex/iptables_kiwi_active # Confirm script runs when booting router

# To Copy cp /tmp/mnt/BoxDisk/Alex/iptables_kiwi /jffs/scripts
# Make file executable chmod +rx /jffs/scripts/iptables_kiwi
# Make sure file is executable ls -e
# To run script manualy sh iptables_kiwi
# Check changes in iptables iptables -L -n --line-numbers
# Dump current iptables iptables -L -n --line-numbers > /tmp/mnt/BoxDisk/Alex/iptables_current

# Blocking outgoing traffic from LAN to specific WAN ports
iptables -I FORWARD 9 -d 0.0.0.0/0 -p 47 -j logdrop # Microsoft GRE PPTP
iptables -I FORWARD 9 -d 0.0.0.0/0 -p 50 -j logdrop # Microsoft ESP L2TP IPsec
iptables -I FORWARD 9 -d 0.0.0.0/0 -p 51 -j logdrop # Microsoft IPsec
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 22 -j logdrop # SSH SCP
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 22 -j logdrop # SSH SCP
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 23 -j logdrop # Telnet
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 23 -j logdrop # Telnet
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 137 -j logdrop # Microsoft NETBIOS Name Service
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 137 -j logdrop # Microsoft NETBIOS Name Service
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 138 -j logdrop # Microsoft NETBIOS Datagram Service
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 138 -j logdrop # Microsoft NETBIOS Datagram Service
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 139 -j logdrop # Microsoft NETBIOS Session Service
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 139 -j logdrop # Microsoft NETBIOS Session Service
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 140 -j logdrop # EMFIS Data Service
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 140 -j logdrop # EMFIS Data Service
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 141 -j logdrop # EMFIS Control Service
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 141 -j logdrop # EMFIS Control Service
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 145 -j logdrop # UAAC Protocol
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 145 -j logdrop # UAAC Protocol
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 161:162 -j logdrop # SNMP SNMP TRAP
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 161:162 -j logdrop # SNMP SNMP TRAP
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 201:209 -j logdrop # Apple Talk
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 201:209 -j logdrop # Apple Talk
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 387 -j logdrop # Apple Talk
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 387 -j logdrop # Apple Talk
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 500 -j logdrop # Microsoft IKE ISAKMP required for IPSEC
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 500 -j logdrop # Microsoft IKE ISAKMP required for IPSEC
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 515 -j logdrop # Printer Spooler
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 515 -j logdrop # Printer Spooler
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 1701 -j logdrop # Microsoft L2TP
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 1701 -j logdrop # Microsoft L2TP
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 1718:1720 -j logdrop # H 323 Calling
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 1718:1720 -j logdrop # H 323 Calling
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 1723 -j logdrop # Microsoft PPTP
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 1723 -j logdrop # Microsoft PPTP
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 1900 -j logdrop # SSDP UPnP
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 1900 -j logdrop # SSDP UPnP
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 3306 -j logdrop # MySQL
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 3306 -j logdrop # MySQL
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 3268:3269 -j logdrop # Microsoft Global Catalog
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 3268:3269 -j logdrop # Microsoft Global Catalog
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 3343 -j logdrop # Microsoft Cluster Net
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 3343 -j logdrop # Microsoft Cluster Net
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 3389 -j logdrop # Microsoft WBT Server
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 3389 -j logdrop # Microsoft WBT Server
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 4500:5500 -j logdrop # Microsoft NAT-T
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 4500:5500 -j logdrop # Microsoft NAT-T
iptables -I FORWARD 9 -d 0.0.0.0/0 -p tcp --dport 6074:6076 -j logdrop # Microsoft MAX DPM WCF
iptables -I FORWARD 9 -d 0.0.0.0/0 -p udp --dport 6074:6076 -j logdrop # Microsoft MAX DPM WCF
# --- Script End ---

--
Kind regards,

Alex T.

 

[RMerlin]

Hi,

Have managed to get so far, that the script can run when i manualy
execute it (sh iptables_kiwi), without any errors.

Used the Windows software TextPad and saved the script-file as
UNIX with ANSI code, without any extensions, just as "iptables_kiwi".

Also made the file executable:

"
-rwxrwxrwx 1 Jabuka root 10502 Thu Jul 23 17:01:23 2015 iptables_kiwi
"

But it doesn't run when the router is booting.
I don't see the file "/tmp/mnt/BoxDisk/Alex/iptables_kiwi_active" either (see below).

Went to the Administration panel in the router GUI and made sure the
jffs partion is on, and it is, then i set it to be formated at reboot just to have a clear partition.

Any hints ?

How are you instructing the router to run your particular script? On itself it has no idea of the existence of that script. Please read the user script article linked above by someone that tells you the list of supported scripts.

 

[Alex Tiedemann]

Hi RMerlin,

Ahaa, that i didn't do, thought it was enough to just put the script file in that folder. ;-)

Will dig into the user script article again.

Thanks.

--
Kind regards,

Alex T.