Menu
What's new
By:
Filters Better Search

Restricting access to specific ports - Whitelist ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

TomT said:
OK - I'm still having issues.
This is what I've currently got setup
Code: 
iptables -I FORWARD -p udp --dport 5060 -j DROP
iptables -I FORWARD -p udp --dport 5068 -j DROP
iptables -I FORWARD -p udp -s 61.243.142.120 --dport 5060 -j ACCEPT
iptables -I FORWARD -p udp -s 88.215.134.231 --dport 5060 -j ACCEPT
iptables -I FORWARD -p udp -m string --string sipgate --algo bm --dport 5060 -j ACCEPT
iptables -I FORWARD -p udp -m string --string sipgate --algo bm --dport 5068 -j ACCEPT
iptables -I FORWARD -p udp -m string --string voice --algo bm --dport 5068 -j ACCEPT

iptables -I FORWARD -p tcp --dport 5060 -j DROP
iptables -I FORWARD -p tcp --dport 5068 -j DROP
iptables -I FORWARD -p tcp -s 61.243.142.120 --dport 5060 -j ACCEPT
iptables -I FORWARD -p tcp -s 88.215.134.231 --dport 5060 -j ACCEPT
iptables -I FORWARD -p tcp -m string --string sipgate --algo bm --dport 5060 -j ACCEPT
iptables -I FORWARD -p tcp -m string --string sipgate --algo bm --dport 5068 -j ACCEPT
iptables -I FORWARD -p tcp -m string --string voice --algo bm --dport 5068 -j ACCEPT

I'm finding this is blocking ALL UDP/TCP for 5060 & 5068 including the entries specified to be allowed.
Why ?

If I remove the:
Code: 
iptables -I FORWARD -p udp --dport 5060 -j DROP

Then all my SIP trunks work, but I'm open to anything again..
Any ideas how to block everything on port 5060 & 5068 except the entries I've listed ?

Thanks
Click to expand...


Never mastered iptables, but isn't your problem that the 2 rules dropping traffic to 5060 and 5068 are at the top of the list, so those rules get actioned first; nothing addressed to 5060 or 5068 ever gets checked against any other rules because the the first 2 have already made the decision as to what happens? Don't the drop rules to those 2 ports need to come AFTER every other rule pertaining to those 2 ports?
 
TomT said:
OK - I'm still having issues.
Click to expand...
This will tell you what's going on. Check the pkts & bytes counts to see that your rules are being matched. Chances are that your rules are not matching anything.

/usr/sbin/iptables -nvL --line-numbers
 
I've removed all the rules I added and then added two new ones:
Code: 
iptables -A FORWARD -p udp --dport 5060 -j DROP
iptables -A FORWARD -p tcp --dport 5060 -j DROP

Making an external SIP Call still works even though 5060 is blocked.

/usr/sbin/iptables -nvL --line-numbers returns :
Code: 
10       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5060
11       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060

so it isn't matching at all.
Is this because I have port forwarding for 5060 set ?

Thanks
 
Hi
I've been having another look at this and I'm not sure my iptables is correct.
This is what it currently shows:

Code: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       icmp --  anywhere             anywhere             icmp echo-request
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1723
ACCEPT     gre  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ipttolan   all  --  anywhere             anywhere
iptfromlan  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain FUPNP (0 references)
target     prot opt source               destination

Chain PControls (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain iptfromlan (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.165.10.0/255.255.255.0 name: lan

Chain ipttolan (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.165.10.0/255.255.255.0 name: lan

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all  --  anywhere             anywhere

I've just tried adding this rule and no errors were detected:
Code: 
iptables -t nat -I VSERVER 3 -p udp -m udp -s 88.235.62.224 --dport 5060 -j DNAT --to 192.165.10.10
yet I can't see it in the iptables output at all.

Also I have several entries in the Virtual Server / Port Forwarding page, but they don't appear.
At the moment traffic is coming in and going out on 5060 to/from any address !

I've removed my nat-start script and rebooted the router, but it's still shows as above.
Any ideas ?

Thanks
 
Quick update. The router log shows 'start_nat_rules: apply the nat_rules(/tmp/nat_rules_ppp0_eth0)!'
Looking at that file it contains :

Code: 
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
:LOCALSRV - [0:0]
:VUPNP - [0:0]
:DNSFILTER - [0:0]
:PCREDIRECT - [0:0]
-A PREROUTING -d xxx.xxx.xxx.xxx -j VSERVER
-A PREROUTING -d 169.254.234.57 -j VSERVER
-A VSERVER -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.165.10.50:21
-A VSERVER -p tcp -m tcp --dport 2021 -j DNAT --to-destination 192.165.10.1:21
-A VSERVER -p tcp -m tcp --dport 9091 -j DNAT --to 192.165.10.30
-A VSERVER -p tcp -m tcp --dport 8050 -j DNAT --to 192.165.10.30
-A VSERVER -p tcp -m tcp --dport 8082 -j DNAT --to-destination 192.165.10.60:8082
-A VSERVER -p tcp -m tcp --dport 5068 -j DNAT --to-destination 192.165.10.13:5068
-A VSERVER -p udp -m udp --dport 5068 -j DNAT --to-destination 192.165.10.13:5068
-A VSERVER -p udp -m udp --dport 6900:7859 -j DNAT --to 192.165.10.13
-A VSERVER -p tcp -m tcp --dport 5000 -j DNAT --to 192.165.10.13
-A VSERVER -p udp -m udp --dport 6300:6699 -j DNAT --to 192.165.10.10
-A VSERVER -p tcp -m tcp --dport 5065 -j DNAT --to-destination 192.165.10.120:5065
-A VSERVER -j VUPNP
-A POSTROUTING  -o ppp0 ! -s xxx.xxx.xxx.xxx -j MASQUERADE
-A POSTROUTING  -o eth0 ! -s 169.254.234.57 -j MASQUERADE
-A POSTROUTING  -m mark --mark 0xb400 -j MASQUERADE
COMMIT

Why don't I see these IP table rules in the output ?
 
TomT said:
Why don't I see these IP table rules in the output ?
Click to expand...
Because by default the iptables command displays/modifies the "filter" table. To see the "nat" table use something like:

iptables -t nat -L -n -v
 
Thanks that shows the nat rules but not why it appears to fail to match them..

I'm happy to try any ideas.. Thanks
 
You must log in or register to reply here.

Similar threads

M
Blocking some devices to connect to the network or accessing the internet
Replies
1
Views
332
Justinh
J
RMerlin
Release Asuswrt-Merlin 386.13 / 386.13_2 is now available for AC models
2 3 4
Replies
79
Views
19K
Tech9
Tech9
I
Unable to connect to VPN with specific ISP (and more weird symptoms)
Replies
5
Views
788
iraweissman
I
S
Nighthawk CAX80 - How to whitelist a specific MAC address for incoming VPN connections
Replies
0
Views
1K
smckenna
S
randomofamber
FW Merlin 386.7_2 - Web Access from WAN - ports lower 1024
Replies
5
Views
1K
randomofamber
randomofamber
Similar threads
Thread starter Title Forum Replies Date
R Disable Intranet access for a LAN port (not the WiFi Guest network)? Asuswrt-Merlin 13
K Solved "Block internet access" does nothing Asuswrt-Merlin 7
T GT BE98 Pro Guest Network Cannot Disable Intranet Access Asuswrt-Merlin 3
E Wireguard can't access devices behind asus router Asuswrt-Merlin 5
R Addition of Block Internet Access Asuswrt-Merlin 5
ali. Access point mode: unable to use AirPlay Asuswrt-Merlin 3
K How to block LAN access for a wired device on ASUS Merlin (Firmware 3004.388.8_2)? Asuswrt-Merlin 12
S OpenVPN LAN access + one external IP Asuswrt-Merlin 3
Preskitt.man Access Router Admin from Chrome Flex OS Asuswrt-Merlin 2
E RT AX88U problem with update 3004 388-8-1 and 2: loss of internet access Asuswrt-Merlin 8

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 923 (members: 31, guests: 892)
Top