What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Figure out iptables after thelonelycoder's adblock script is used....

B

Bamsefar

Senior Member
Hmm...

Still trying to figure out if my AC3200 firewall works, so I did iptables -L, and a lot came out of course (se below). What I am most interesting in is of course the input chain. It seems to say:
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW

Is that correct, I get the feeling everything can pass...

Not to mention FORWARD and then what is "FUPNP" - BamseRIP is a WHS2011 server... Any chance anyone could explain, first and most INPUT but I love som help on the rest :)

Code: 
admin@RT-AC3200-2B50:/# iptables -L
Chain INPUT (policy ACCEPT)
target  prot opt source  destination
DROP  all  --  anywhere  anywhere  match-set BlockedCountries src
DROP  all  --  anywhere  anywhere  match-set TorNodes src
DROP  icmp --  anywhere  anywhere  icmp echo-request
DROP  all  --  anywhere  anywhere  state INVALID
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
ACCEPT  all  --  anywhere  anywhere  state NEW
ACCEPT  all  --  anywhere  anywhere  state NEW
ACCEPT  udp  --  anywhere  anywhere  udp spt:bootps dpt:bootpc
ACCEPT  icmp --  anywhere  anywhere  icmp !echo-request
DROP  all  --  anywhere  anywhere

Chain FORWARD (policy DROP)
target  prot opt source  destination
DROP  ipv6-auth--  anywhere  anywhere
DROP  ipv6-crypt--  anywhere  anywhere
DROP  udp  --  anywhere  anywhere  udp dpt:4500
DROP  udp  --  anywhere  anywhere  udp dpt:500
DROP  udp  --  anywhere  anywhere  udp dpt:1701
DROP  gre  --  anywhere  anywhere
DROP  tcp  --  anywhere  anywhere  tcp dpt:1723
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
DROP  all  --  anywhere  anywhere
DROP  all  --  anywhere  anywhere  state INVALID
ACCEPT  all  --  anywhere  anywhere
ACCEPT  tcp  --  anywhere  anywhere  tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
ACCEPT  tcp  --  anywhere  anywhere  tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
ACCEPT  icmp --  anywhere  anywhere  icmp echo-request limit: avg 1/sec burst 5
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:www
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:domain
ACCEPT  udp  --  anywhere  anywhere  udp dpt:domain
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:https
ACCEPT  udp  --  anywhere  anywhere  udp dpt:ntp
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:943
ACCEPT  udp  --  anywhere  anywhere  udp dpt:1194
DROP  all  --  anywhere  anywhere
ACCEPT  all  --  anywhere  anywhere  ctstate DNAT
ACCEPT  all  --  anywhere  anywhere

Chain OUTPUT (policy ACCEPT)
target  prot opt source  destination

Chain FUPNP (0 references)
target  prot opt source  destination
ACCEPT  udp  --  anywhere  BamseRIP  udp dpt:49882
ACCEPT  tcp  --  anywhere  BamseRIP  tcp dpt:49882
ACCEPT  udp  --  anywhere  BamseRIP  udp dpt:63580
ACCEPT  tcp  --  anywhere  BamseRIP  tcp dpt:63580

Chain PControls (0 references)
target  prot opt source  destination
ACCEPT  all  --  anywhere  anywhere

Chain logaccept (0 references)
target  prot opt source  destination
LOG  all  --  anywhere  anywhere  state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT  all  --  anywhere  anywhere

Chain logdrop (0 references)
target  prot opt source  destination
LOG  all  --  anywhere  anywhere  state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP  all  --  anywhere  anywhere
 
Bamsefar said:
Hmm...

Still trying to figure out if my AC3200 firewall works, so I did iptables -L, and a lot came out of course (se below). What I am most interesting in is of course the input chain. It seems to say:
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW

Is that correct, I get the feeling everything can pass...

Not to mention FORWARD and then what is "FUPNP" - BamseRIP is a WHS2011 server... Any chance anyone could explain, first and most INPUT but I love som help on the rest :)

Code: 
admin@RT-AC3200-2B50:/# iptables -L
Chain INPUT (policy ACCEPT)
target  prot opt source  destination
DROP  all  --  anywhere  anywhere  match-set BlockedCountries src
DROP  all  --  anywhere  anywhere  match-set TorNodes src
DROP  icmp --  anywhere  anywhere  icmp echo-request
DROP  all  --  anywhere  anywhere  state INVALID
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
ACCEPT  all  --  anywhere  anywhere  state NEW
ACCEPT  all  --  anywhere  anywhere  state NEW
ACCEPT  udp  --  anywhere  anywhere  udp spt:bootps dpt:bootpc
ACCEPT  icmp --  anywhere  anywhere  icmp !echo-request
DROP  all  --  anywhere  anywhere

Chain FORWARD (policy DROP)
target  prot opt source  destination
DROP  ipv6-auth--  anywhere  anywhere
DROP  ipv6-crypt--  anywhere  anywhere
DROP  udp  --  anywhere  anywhere  udp dpt:4500
DROP  udp  --  anywhere  anywhere  udp dpt:500
DROP  udp  --  anywhere  anywhere  udp dpt:1701
DROP  gre  --  anywhere  anywhere
DROP  tcp  --  anywhere  anywhere  tcp dpt:1723
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
DROP  all  --  anywhere  anywhere
DROP  all  --  anywhere  anywhere  state INVALID
ACCEPT  all  --  anywhere  anywhere
ACCEPT  tcp  --  anywhere  anywhere  tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
ACCEPT  tcp  --  anywhere  anywhere  tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
ACCEPT  icmp --  anywhere  anywhere  icmp echo-request limit: avg 1/sec burst 5
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:www
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:domain
ACCEPT  udp  --  anywhere  anywhere  udp dpt:domain
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:https
ACCEPT  udp  --  anywhere  anywhere  udp dpt:ntp
ACCEPT  tcp  --  anywhere  anywhere  tcp dpt:943
ACCEPT  udp  --  anywhere  anywhere  udp dpt:1194
DROP  all  --  anywhere  anywhere
ACCEPT  all  --  anywhere  anywhere  ctstate DNAT
ACCEPT  all  --  anywhere  anywhere

Chain OUTPUT (policy ACCEPT)
target  prot opt source  destination

Chain FUPNP (0 references)
target  prot opt source  destination
ACCEPT  udp  --  anywhere  BamseRIP  udp dpt:49882
ACCEPT  tcp  --  anywhere  BamseRIP  tcp dpt:49882
ACCEPT  udp  --  anywhere  BamseRIP  udp dpt:63580
ACCEPT  tcp  --  anywhere  BamseRIP  tcp dpt:63580

Chain PControls (0 references)
target  prot opt source  destination
ACCEPT  all  --  anywhere  anywhere

Chain logaccept (0 references)
target  prot opt source  destination
LOG  all  --  anywhere  anywhere  state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT  all  --  anywhere  anywhere

Chain logdrop (0 references)
target  prot opt source  destination
LOG  all  --  anywhere  anywhere  state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP  all  --  anywhere  anywhere
Click to expand...


Does the following command make the iptables rules clearer to you?

Code: 
iptables   -L   -nv   --line


So the INPUT chain protects the Router, and the FORWARD chain protects devices on your LAN.
FUPNP implies you have allowed UPNP so your WHS2011 server is allowing connections. (Usually this table may show IP Cameras! - to the surprise of owners say FOSCAM cameras)
 
Thanks :-)

Well I have come a long way in my "training" about iptables. The "only" issue I have now is that in INPUT chain is "Chain INPUT (policy ACCEPT)" - I would prefer "Chain INPUT (policy DROP)". But then I just a beginner...
 
You should also review the output of

iptables -nvL -t nat

The default is the filter table, there is also a mangle table which is used for accounting, qos and local nat loopback.
 
I can not see the point of that command, it does not clearify why the input policy is ACCEPT instead of DROP as it should be:

Code: 
Chain PREROUTING (policy ACCEPT 351K packets, 23M bytes)
 pkts bytes target  prot opt in  out  source  destination
 4171  256K VSERVER  all  --  *  *  0.0.0.0/0  x.x.x.x

Chain INPUT (policy ACCEPT 182K packets, 12M bytes)
 pkts bytes target  prot opt in  out  source  destination

Chain OUTPUT (policy ACCEPT 34942 packets, 2745K bytes)
 pkts bytes target  prot opt in  out  source  destination

Chain POSTROUTING (policy ACCEPT 34942 packets, 2745K bytes)
 pkts bytes target  prot opt in  out  source  destination
38551 2361K MASQUERADE  all  --  *  vlan2  !x.x.x.x  0.0.0.0/0
  0  0 MASQUERADE  all  --  *  *  0.0.0.0/0  0.0.0.0/0  mark match 0xb400

Chain DNSFILTER (0 references)
 pkts bytes target  prot opt in  out  source  destination

Chain LOCALSRV (0 references)
 pkts bytes target  prot opt in  out  source  destination

Chain PCREDIRECT (0 references)
 pkts bytes target  prot opt in  out  source  destination

Chain VSERVER (1 references)
 pkts bytes target  prot opt in  out  source  destination
 4171  256K VUPNP  all  --  *  *  0.0.0.0/0  0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target  prot opt in  out  source  destination
 
Martineau said:
Does the following command make the iptables rules clearer to you?

Code: 
iptables   -L   -nv   --line


So the INPUT chain protects the Router, and the FORWARD chain protects devices on your LAN.
FUPNP implies you have allowed UPNP so your WHS2011 server is allowing connections. (Usually this table may show IP Cameras! - to the surprise of owners say FOSCAM cameras)
Click to expand...

Well YES it does to some extent - however I still don't get the answeer to WHY it is ACCEPT instead of DROP as it should be. Let's take the INPUT chain only, and try to figure out what is what:

Code: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num  pkts bytes target  prot opt in  out  source  destination
1  1510 75089 DROP  all  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set BlockedCountries src
2  0  0 DROP  all  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set TorNodes src
3  10  432 DROP  icmp --  vlan2  *  0.0.0.0/0  0.0.0.0/0  icmptype 8
4  832 35685 DROP  all  --  vlan2  *  0.0.0.0/0  0.0.0.0/0  state INVALID
5  231K  63M ACCEPT  all  --  *  *  0.0.0.0/0  0.0.0.0/0  state RELATED,ESTABLISHED
6  186K  43M ACCEPT  all  --  lo  *  0.0.0.0/0  0.0.0.0/0  state NEW
7  372K  26M ACCEPT  all  --  br0  *  0.0.0.0/0  0.0.0.0/0  state NEW
8  0  0 ACCEPT  udp  --  *  *  0.0.0.0/0  0.0.0.0/0  udp spt:67 dpt:68
9  0  0 ACCEPT  icmp --  *  *  0.0.0.0/0  0.0.0.0/0  icmp !type 8
10  2832  259K DROP  all  --  *  *  0.0.0.0/0  0.0.0.0/0

Since we have "INPUT (policy ACCEPT)" - everything comes into the chain...

First line is the script that a few different people has created for stopping countries.
Second - is stopping TOR.
Third - stops icmptype 8 = echo request, or PING in normal words
Fourth - stops incomming trafic that is classified as INVALID - I guess things like missbehaving packets and other odd "things"
Fifth - well as far as I know now (and I might be wrong) this line actually accepts request that has a origin from the inside (RELATED, ESTABLISHED - with ESTABLISHED as "old" connection still working, and RELATED as "new request from the inside" - and both has in common that there is a client device on the inside of the "firewall" asking for the information)
Sixth and Seventh - well I have no clu as of now. Since it says "lo" and "bro" I think this is accept for all internal communication on the inside of the firewall - but I am not shure.
Eigth - No idea, google gives hits on DHCP, but then again?
Nine - No idea again, icmptype8 above (line three) is about PING - but this one?
Last line is to drop anything that is left I guess since that is not to come thru the firewall.

So IF what I wrote above is more or less correct, the last line does the same as "input(policy DROP)" - however there is a few things before that I am not shure why.

When I try to understand firewalls rules for iptables, I come always to the thing that everyone recommends "input(policy DROP" - but I have no way to get ASUS router to generate that kind of rules for iptable input chain?

I have tried a few things for the FORWARD chain, since I like to run with whitelist:
Code: 
15  17231  966K ACCEPT  tcp  --  br0  vlan2  0.0.0.0/0  0.0.0.0/0  tcp dpt:80
16  1322 93370 ACCEPT  udp  --  br0  vlan2  0.0.0.0/0  0.0.0.0/0  udp dpt:53
17  26271 1704K ACCEPT  tcp  --  br0  vlan2  0.0.0.0/0  0.0.0.0/0  tcp dpt:443
18  197 14972 ACCEPT  udp  --  br0  vlan2  0.0.0.0/0  0.0.0.0/0  udp dpt:123

The four lines above are in order: http, dns, https and ntp. I don't need more, so why allow anything else? But then what is this?
Code: 
3  0  0 DROP  udp  --  br0  vlan2  0.0.0.0/0  0.0.0.0/0  udp dpt:4500
4  0  0 DROP  udp  --  br0  vlan2  0.0.0.0/0  0.0.0.0/0  udp dpt:500
5  0  0 DROP  udp  --  br0  vlan2  0.0.0.0/0  0.0.0.0/0  udp dpt:1701
6  0  0 DROP  47  --  br0  vlan2  0.0.0.0/0  0.0.0.0/0
7  0  0 DROP  tcp  --  br0  vlan2  0.0.0.0/0  0.0.0.0/0  tcp dpt:1723
Yes it says DROP so I guess no wrong there - but why?

I have turned UPNP off - thought I have done that before, but now it's off - large thanks!!!
 
You are overthinking this.

There is no practical difference between having the policy of DROP and having the policy of ACCEPT with the last rule dropping everything.

Yes, I agree with you that aesthetically having a policy of DROP would be nicer. But as the rules are generated dynamically depending on a myriad of different possible user settings, I suspect that it is done this way either because it makes coding all the possibilities easier, or just because it's always been done this way.

Either way it's not worth losing sleep over. :)
 
You must log in or register to reply here.

Similar threads

F
Understanding IPTABLES - asus ROG ax6000
Replies
17
Views
1K
ColinTaylor
C
adri
Firewall, Port Forwarding, and DoS Question
Replies
8
Views
679
ColinTaylor
C
v.y.k
iptables pkts & bytes numbers are too low on Merlin 3004.388
Replies
13
Views
1K
v.y.k
v.y.k
L
merlin default iptables. why are there strange logdrops for specific pattens and ips?
Replies
3
Views
1K
ColinTaylor
C
N
Skynet SkyNet/Firewall blocking all ping requests, including outbound
Replies
6
Views
1K
nearlyheadlessarvie
N
Similar threads
Thread starter Title Forum Replies Date
J RT-AC88U drops the OpenVPN inbound ACCEPT iptables rule after a time Asuswrt-Merlin 14
J Curious behaviour after opening ports with iptables - RTAX86U - Asus Wrt Merlin Asuswrt-Merlin 6
S Custom IPTables and EBTables CLI after GUI reprovisioning Asuswrt-Merlin 1
r000t Hardcoded Google DNS IPTABLES rule Asuswrt-Merlin 6
F Understanding IPTABLES - asus ROG ax6000 Asuswrt-Merlin 17
SkierInAvon Asus Merlin - iptables command (not working?) Asuswrt-Merlin 8

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 597 (members: 22, guests: 575)
Back
Top