Restrict port forwarding

[utamav]

I am coming from a Cisco E1200 running DD-WRT to Asus TM-AC1900 running FW for RT-68U.

In DD-WRT there was a way to allow access to ports only from certain IP. Is there a way to duplicate the functionality in Asus?

 

[RMerlin]

I am coming from a Cisco E1200 running DD-WRT to Asus TM-AC1900 running FW for RT-68U.

In DD-WRT there was a way to allow access to ports only from certain IP. Is there a way to duplicate the functionality in Asus?

You will have to use a custom firmware, and manually create the iptables rules through a script.

 

[utamav]

You will have to use a custom firmware, and manually create the iptables rules through a script.

Thanks Merlin. Any chance you will support this in your firmware?

 

[utamav]

I was checking some of the guides that you have provided on github and there you talk about adding firewall rules as user script. So I am guessing if this can't be done using GUI, it can be done using scripts in with your builds.

 

[RMerlin]

Correct. You have to create a script to handle it. I have no plan to add it to the webui.

Sent from my Nexus 4 using Tapatalk

 

[utamav]

Going by your post and guides, I defined the following:

iptables -t nat -I VSERVER 3 -p tcp -m tcp -s x.x.x.x --dport 22 -j DNAT --to y.y.y.y

I see that the firewall rule is working fine:

ACCEPT IN=eth0 OUT=br0 SRC=x.x.x.x DST=y.y.y.y LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=9907 DF PROTO=TCP SPT=17479 DPT=22 SEQ=1828100141 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020404EC01010402)

But I am not able to connect to my SSH server. I know the server is working fine because I can connect to it from within my home network.

Any help is appreciated.

 

[RMerlin]

Going by your post and guides, I defined the following:

iptables -t nat -I VSERVER 3 -p tcp -m tcp -s x.x.x.x --dport 22 -j DNAT --to y.y.y.y

I see that the firewall rule is working fine:

ACCEPT IN=eth0 OUT=br0 SRC=x.x.x.x DST=y.y.y.y LEN=48 TOS=0x00 PREC=0x00 TTL=47 ID=9907 DF PROTO=TCP SPT=17479 DPT=22 SEQ=1828100141 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020404EC01010402)

But I am not able to connect to my SSH server. I know the server is working fine because I can connect to it from within my home network.

Any help is appreciated.

If the router is able to forward the port as noted by the log, then it means the restriction is on your server. Make sure the server's firewall and sshd_config doesn't prevent connections from non-local IPs.

 

[utamav]

Thanks. It was a new server that I was using (Raspberry Pi) which blocks all out of network traffic by default.

Finally, I have the following script:

#!/bin/sh
touch /tmp/000wanstarted
iptables -t nat -I VSERVER 3 -p tcp -m tcp -s x.x.x.x --dport 22 -j DNAT --to y.y.y.y

I made it executable:

-rwxrwxrwx    1 admin    root           107 Sep 30 11:48 nat-start

I tested it by manually running it. I see the folder 000wanstarted created under /tmp and the rules in iptables but when I rebooted, the rules were not present. What am I doing wrong?

 

[RMerlin]

Thanks. It was a new server that I was using (Raspberry Pi) which blocks all out of network traffic by default.

Finally, I have the following script:

#!/bin/sh
touch /tmp/000wanstarted
iptables -t nat -I VSERVER 3 -p tcp -m tcp -s x.x.x.x --dport 22 -j DNAT --to y.y.y.y

I made it executable:

-rwxrwxrwx    1 admin    root           107 Sep 30 11:48 nat-start

I tested it by manually running it. I see the folder 000wanstarted created under /tmp and the rules in iptables but when I rebooted, the rules were not present. What am I doing wrong?

Make sure you did put it under /jffs/scripts/

 

[utamav]

Make sure you did put it under /jffs/scripts/

It is under /jffs/scripts/

admin@SnooNAS:/jffs/scripts# ls -lrt
-rwxrwxrwx    1 admin    root           107 Sep 30 11:48 nat-start

 

[RMerlin]

Is the empty file created in tmp, or not even that? I can't see any reason why the script would work when run manually but not after a reboot. You do have NAT and Firewall enabled, correct?

 

[utamav]

Is the empty file created in tmp, or not even that? I can't see any reason why the script would work when run manually but not after a reboot. You do have NAT and Firewall enabled, correct?

While rebooting the empty directory is also not created. I am looking at your post and I see logger can be used to diagnose this. Unfortunately I am not sure how to use it. Is there a syntax example that I can use?

 

[RMerlin]

I can't think of any other reason why this wouldn't work there then, while it does work if manually launched (which confirms that the script encoding is fine), sorry.

 

[utamav]

I can't think of any other reason why this wouldn't work there then, while it does work if manually launched (which confirms that the script encoding is fine), sorry.

Can I run a cronjob to either run the script after reboot or add the rule in?
Also this is TM-AC1900 HW, can this be a bug since I am using RT-AC68U SW?

 

[RMerlin]

Can I run a cronjob to either run the script after reboot or add the rule in?

That could be a way. Another thing you can try: create either a services-start or a wan-start script, insert something like a sleep 30, followed by your commands.

The downside of this however is if the firewall gets restarted for some reason (for instance if you change port forwards, WAN goes down then back up, etc...) then this trick might not work too well.

Also this is TM-AC1900 HW, can this be a bug since I am using RT-AC68U SW?

That'd surprise me. However that does bring something else... Are you still running my firmware on it, or stock? Those scripts won't work with the stock firmware.

 

[utamav]

That'd surprise me. However that does bring something else... Are you still running my firmware on it, or stock? Those scripts won't work with the stock firmware.

I am running your build 376.47. Maybe I can try a fresh install. I went from stock T-Mobile to RT-AC68U to your build. Do you think a factory reset might be enough or a fresh firmware upgrade?

 

[RMerlin]

I am running your build 376.47. Maybe I can try a fresh install. I went from stock T-Mobile to RT-AC68U to your build. Do you think a factory reset might be enough or a fresh firmware upgrade?

Reflashing a firmware has zero effect on a router.