What's new

iptables - version

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

robbob2112

New Around Here
Hi,

Does anyone know if there are any plans to update the iptables version in asuswrt?

RT-AC66U:/tmp/etc# iptables -V
iptables v1.3.8

Version from typical current linux
> iptables -V
iptables v1.4.12


The reason for the question is there are a lot of additional features in the newer version of iptables to help with DOS and DDOS attacks.

Specifically I run an authoritative DNS server behind the AC66 and it is being use as part of a DNS amplification attack. (spoofed source request for "." zone... 26~28 bytes in length... replies go to the spoofed source and vary from 45~200bytes depending on how the server is configured)... not possible to block it at the DNS server because of the OS it is running and better practice to block things at the edge anyways.

Even with recursion off it still responds with REFUSED which is 45 bytes in length.

The easy way to kill this sort of attack is with iptables either with packet matches on the "." request or with some of the built in rate limiting settings in the 1.4.x versions of iptables. With the 1.3 tables either it isn't possible to block or I haven't been able to figure out a workable syntax.

Thanks

Robert
 
iptables is closely tied to the Kernel version, so it's not realistically doable without Asus also updating the kernel (which I doubt will ever happen for the existing routers).

Keep in mind it's not just the userspace tool that's involved, but all the kernel code related to Netfilter as well. Asus uses iptables 1.4.x for the newer routers that have a newer kernel. The two are closely tied together.
 
Use layer7 netfilter module

The netfilter layer7 module is available. You just need to "insmod xt_layer7" before you can use iptables to write rules which use it. Using the layer7 module you can write a pattern to match the specific dns packet type you are looking to filter.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top