iptable rules are being overwritten with every reboot. help!

[zidler]

#iptable rules are being overwritten with every reboot. help!

Ok. Here we go.

>ls /jffs/scripts/
drwxr-xr-x    2 root     root           0 Feb  3 14:05 ./
drwxr-xr-x    7 root     root           0 Feb  4 11:48 ../
-rwxrwxrwx    1 root     root          37 Feb  4 10:19 firewall-start*
-rwxrwxrwx    1 root     root          47 Feb  3 14:33 nat-start*
-rwxrwxrwx    1 root     root         965 Feb  3 15:00 post-mount*
-rwxrwxrwx    1 root     root         836 Feb  3 13:29 pre-mount*
-rwxrwxrwx    1 root     root         294 Feb  3 17:16 services-start*
-rwxrwxrwx    1 root     root          60 Feb  3 13:22 services-stop*
-rwxrwxrwx    1 root     root        1.6K Feb  3 13:46 tmail.sh*
-rwxrwxrwx    1 root     root         457 Feb  3 13:40 unmount*

> cat /jffs/scripts/firewall-start
source /opt/etc/ssh/.bash/firewall.sh

> cat /opt/etc/ssh/.bash/firewall.sh
#!/bin/sh
if [ ! -z "$BASH_SOURCE" ]; then printf 'Loaded: %s\n' "$BASH_SOURCE"; fi
#http://vasilisc.com/21-examples-iptables
#chmod a+rx /jffs/scripts/firewall-start
# My system IP/set ip address of server
SERVER_IP="X.X.X.X"

# Flushing all rules
iptables -F
iptables -X
iptables -Z

# Setting default filter policy
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP

# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
iptables -N logaccept
iptables -N logdrop
iptables -N FUPNP
iptables -N SECURITY



# Allow unlimited traffic on loopback
iptables -A INPUT    -i lo -j ACCEPT
iptables -A OUTPUT    -o lo -j ACCEPT
iptables -A INPUT    -i br0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -o br0 -j ACCEPT

# Accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#What is it?
iptables -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
iptables -A INPUT -i tap21 -j ACCEPT
iptables -A FORWARD -i tap21 -j ACCEPT
iptables -A FUPNP -d 192.168.1.128/32 -p udp -m udp --dport 58474 -j ACCEPT
iptables -A FUPNP -d 192.168.1.128/32 -p tcp -m tcp --dport 58474 -j ACCEPT
iptables -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A logaccept -j ACCEPT
iptables -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A logdrop -j DROP
iptables -A FORWARD -i eth0 -j SECURITY
iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT

#VPN
iptables -A INPUT -p tcp -i eth0 --dport 1194 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1194 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1194 -j ACCEPT

#Transmission
iptables -I INPUT -p tcp --destination-port 51413 -j ACCEPT
iptables -I INPUT -p udp --destination-port 51413 -j ACCEPT

# Allow incoming SSH
# iptables -A INPUT -p tcp -m tcp --dport 65535 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --dport 65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 65535 -m state --state ESTABLISHED -j ACCEPT

#FTP
iptables -A INPUT -p tcp -i eth0 --dport 21 -j DROP
# iptables -A OUTPUT -p tcp --sport 21 -j DROP
# Block FTP connections @ port 21
iptables -A INPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j DROP
# iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j DROP

# Block Passive FTP Connections
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable HTTP and HTTPS
# iptables -A INPUT  -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT  -p tcp -m multiport --sport  80,8080,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,8080,433 -j ACCEPT

# #Enable DNS
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT  -p udp -m udp --dport 53 -j ACCEPT

# iptables -n -L -v --line-numbers
# iptables -L INPUT -n -v --line-numbers
# Где:
-L : Показать список правил.
-v : Отображать дополнительную информацию. Эта опция показывает имя интерфейса, опции, TOS маски. Также отображает суффиксы 'K', 'M' or 'G'.
-n : Отображать IP адрес и порт числами (не используя DNS сервера для определения имен. Это ускорит отображение).
# # Запрет FIN-сканирования
# iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
# #Запрет X-сканирования
# iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG -j DROP
# #Запрет N-сканирования
# iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
# iptables -I INPUT -p tcp -m osf --genre NMAP -j DROP
# iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 5/min -j LOG --log-prefix "Stealth scan"
# iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 5/min -j DROP
# # Проверка на стук в нерабочие порты (10 в час)
# iptables -A INPUT -m recent --rcheck --seconds 3600 --hitcount 10 --rttl -j RETURN
# # Вторая проверка на стук в нерабочие порты (2 в минуту)
# iptables -A INPUT -m recent --rcheck --seconds 60 --hitcount 2 --rttl -j RETURN
# # Заносим адреса стучащихся в список
# iptables -A INPUT -m recent --set
# Типы ICMP-сообщений
# 0 — echo reply (echo-ответ, пинг)
# 3 — destination unreachable (адресат недосягаем)
# 4 — source quench (подавление источника, просьба посылать пакеты медленнее)
# 5 — redirect (редирект)
# 8 — echo request (echo-запрос, пинг)
# 9 — router advertisement (объявление маршрутизатора)
# 10 — router solicitation (ходатайство маршрутизатора)
# 11 — time-to-live exceeded (истечение срока жизни пакета)
# 12 — IP header bad (неправильный IPзаголовок пакета)
# 13 — timestamp request (запрос значения счетчика времени)
# 14 — timestamp reply (ответ на запрос значения счетчика времени)
# 15 — information request (запрос информации)
# 16 — information reply (ответ на запрос информации)
# 17 — address mask request (запрос маски сети)
# 18 — address mask reply (ответ на запрос маски сети)
# Обычно выход во внешний мир разрешают ICMP-сообщениям 0, 3, 4, 11 и 12, в то время как на вход принимают только 3, 8 и 12.
# iptables -A INPUT -p icmp -icmp-type 3,8,12 -j ACCEPT
# iptables -A OUTPUT -p icmp -icmp-type 0,3,4,11,12 -j ACCEPT
# # Disable PING
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
echo "Done!"

When I restart the router all I see is this:

> iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FUPNP
-N NSFW
-N PControls
-N SECURITY
-N logaccept
-N logdrop
-A INPUT -i tap21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tap21 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP

As you see, the rules are partly there, but the rest ist gone. What should I do?

 

[martinr]

What, if anything, did you do just prior to this happening?
Did you make any amendments to iptables in any way? (I presume you have been doing something with iptables for your troubleshooting to have already identified the problem.)
Did you flash a new firmware (if so, from what to what)?

 

[zidler]

What, if anything, did you do just prior to this happening?
Did you make any amendments to iptables in any way? (I presume you have been doing something with iptables for your troubleshooting to have already identified the problem.)
Did you flash a new firmware (if so, from what to what)?

I got ASUS AC5300 and ver. 380.63_2 of Merlin FW. Didn't do anything else. Firewalls are disabled in Admin console.

 

[martinr]

Sorry if I'm being obtuse, but why are firewalls disabled?

 

[zidler]

Sorry if I'm being obtuse, but why are firewalls disabled?

I want to enforce my personal firewall rules using the script above.

 

[tomsk]

I think we may have found your problem. What event do you think do you think triggers the /jffs/scripts/firewall-start script?

 

[martinr]

So re-enable firewalls and see what happens.

 

[zidler]

I think we may have found your problem. What event do you think do you think triggers the /jffs/scripts/firewall-start script?

I am newbie in this, so I think a add my rules for the already running firewall.

 

[martinr]

I am newbie in this, so I think a add my rules for the already running firewall.

It illustrates what can happen, though, when messing around with iptables: you had no network firewall. For that reason I steer well clear of messing about in that area. Anyway, have you got it sorted?

 

[tomsk]

I am newbie in this, so I think a add my rules for the already running firewall.

No problem.... everyone has to start somewhere.... I'm relatively new at this too and its easy to get quickly out of your depth. What I know could be written on the back of a postage stamp, and what I don't could fill a library. But I think you should arm yourself with at least the basic understanding of whatever aspect of the router you are playing with. As @martinr pointed out, you had no firewall and that could put you in a world of problems. The firewall protects you from some nasties out there that would make your hair stand on end.

 

[zidler]

No problem.... everyone has to start somewhere.... I'm relatively new at this too and its easy to get quickly out of your depth. What I know could be written on the back of a postage stamp, and what I don't could fill a library. But I think you should arm yourself with at least the basic understanding of whatever aspect of the router you are playing with. As @martinr pointed out, you had no firewall and that could put you in a world of problems. The firewall protects you from some nasties out there that would make your hair stand on end.

Ok, where should I add my custom rules?
I wanted to disable the firewall to learn how to add my own rules and make the router tougher to crack.

 

[tomsk]

The routers default firewall is pretty good ( in fact the default behaviour of the FORWARD chain is to drop every packet trying to pass through unless you tell it otherwise... whats tougher than that?)....... usually routers are "cracked" by attacking the services running on the router that have made a hole in the firewall to communicate with the outside world. Why reinvent the wheel?... start with the routers default firewall and add your own rules by inserting or appending them with iptables commands. You will need to re-apply your rules when you reboot your router, and a shell script called by the firewall-start event is the usual place to start. In fact the script you pasted at the start of this thread is an example of that.. do you know what it does? if you really want to learn , there are plenty of tutorials on the web, and people here in the forum will assist. You won't learn much by blindly copy/pasting some script you found which you don't understand. What if the script was malicious?

 

[martinr]

..... , there are plenty of tutorials on the web, ...

Any you'd recommend? ColinTaylor linked one here, which I'm making my way through:

https://www.snbforums.com/threads/default-mangle-table.37061/#post-303668

I find that the difficulty is not so much getting to grips with iptables as the great amount of foundational networking knowledge that must first be mastered, otherwise writing iptables rules becomes a monkey-see-monkey-do exercise with great potential for unintended consequences. Just when you think you're almost at the summit, you realise there's another hill to be climbed!

 

[tomsk]

Any you'd recommend? ColinTaylor linked one here, which I'm making my way through:

https://www.snbforums.com/threads/default-mangle-table.37061/#post-303668

I find that the difficulty is not so much getting to grips with iptables as the great amount of foundational networking knowledge that must first be mastered, otherwise writing iptables rules becomes a monkey-see-monkey-do exercise with great potential for unintended consequences. Just when you think you're almost at the summit, you realise there's another hill to be climbed!

This i found very informative..but a bit overkill if you just want to get started...
http://www.iptables.info/en/index.html

 

[martinr]

This i found very informative..but a bit overkill if you just want to get started...
http://www.iptables.info/en/index.html

Many thanks; that's good to know because it's the same one Colin mentioned in his post - the one I'm wading through.

 

[zidler]

So re-enable firewalls and see what happens.

Nothing happens. Same output =(
Once again. I just want to know where exactly I can reset iptable chaines and add my own rules. Thank you.

 

[martinr]

Nothing happens. Same output =(
Once again. I just want to know where exactly I can reset iptable chaines and add my own rules. Thank you.

I think and hope you'll find Colin's posts most helpful eg here:

https://www.snbforums.com/threads/ip-tables-confusion.30373/#post-237528

 

[zidler]

I do exactly as it is being said in that post.

> cat /jffs/scripts/firewall-start
source /opt/etc/ssh/.bash/firewall.sh

But nothing is changed. =(

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N FUPNP
-N NSFW
-N PControls
-N SECURITY
-N logaccept
-N logdrop
-A INPUT -i tap21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 65535 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tap21 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth0 -j SECURITY
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FUPNP -d 192.168.1.128/32 -p tcp -m tcp --dport 21011 -j ACCEPT
-A FUPNP -d 192.168.1.128/32 -p udp -m udp --dport 21011 -j ACCEPT
-A FUPNP -d 192.168.1.201/32 -p udp -m udp --dport 57594 -j ACCEPT
-A FUPNP -d 192.168.1.201/32 -p tcp -m tcp --dport 57594 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP

but:

> source /opt/etc/ssh/.bash/firewall.sh
> iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N FUPNP
-N SECURITY
-N logaccept
-N logdrop
-A INPUT -p udp -m udp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i tap21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -d 46.188.44.38/32 -p tcp -m tcp --dport 65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j DROP
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j DROP
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --sports 80,8080,443 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -j DROP
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tap21 -j ACCEPT
-A FORWARD -i eth0 -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1194 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1194 -j ACCEPT
-A OUTPUT -s 46.188.44.38/32 -p tcp -m tcp --sport 65535 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 80,8080,433 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j DROP
-A FUPNP -d 192.168.1.128/32 -p udp -m udp --dport 58474 -j ACCEPT
-A FUPNP -d 192.168.1.128/32 -p tcp -m tcp --dport 58474 -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP

Works perfectly. What am I doing wrong?

P.S.
Enabling or disabling the firewall doesn't affect anything.

 

[mstombs]

The router runs the firewall script many times during start-up , i wonder if the first one comes unstuck because /opt on a usb is not available until mounted. The intent of using jffs for scripts is that jffs will always be there.

 

[zidler]

The router runs the firewall script many times during start-up , i wonder if the first one comes unstuck because /opt on a usb is not available until mounted. The intent of using jffs for scripts is that jffs will always be there.

Exactly!
I got the same feeling, as if /opt/etc/ssh/.bash/firewall.sh is not available at the moment when
/jffs/scripts/firewall-start is launched. Any suggestions?