RT-AC66U Asuswrt-Merlin HTTP & HTTPS LAN but only HTTPS WAN?

[cgar]

Hi I'm looking for a way to have the authentication method of HTTP access to the router from WAN set to both HTTP and HTTPS but disable HTTP from wan. So that I can have nice fast HTTP router configuring at home and more secure but slower HTTPS configuring from WAN.

I have an ASUS RT-AC66U running Asuswrt-Merlin 3.0.0.4.374.39_0.

I've tried setting a portforward the HTTP port to an invalid host in the Virtual server page and I've tried dabbeling with iptables to reject access from ppp0 on the HTTP port.

The System log > port forwards page shows:

Destination     Proto. Port range  Redirect to     Local port  Chain
ALL             TCP    5554        192.168.1.1     80          VSERVER
ALL             TCP    5555        192.168.1.1     5555        VSERVER

5554 is the HTTP port I configured and 5555 is the HTTPS port I configured. There are no entries in the WAN > Virtual server / Port forward page.

In SSH the files /tmp/nat_rules_ppp0_eth0 and /tmp/nat_rules contain the line:

-A VSERVER -p tcp -m tcp --dport 5554 -j DNAT --to-destination 192.168.1.1:80

I've considered making a script to delete this line every time the router boots but woulden't that cause wear and tear to the flash memory? Also since this is a file in /tmp it must read the setting from somewhere else. If I edit the file it reads it from will that work accross reboots?

Anyone know a way?

 

[sinshiva]

probably the simplest way to do it would be to add this to /jffs/scripts/nat-start

#!/bin/sh
iptables -t nat -D VSERVER -p tcp -m tcp --dport 5554 -j DNAT --to-destination 192.168.1.1:80

chmod a+rx /jffs/scripts/*

or /jffs/scripts/firewall-start sorry, haven't tested

 

[legitsu]

https isn't really anymore secure enabling configure over wan is always a giant security hole

 

[cgar]

sinshiva that's worked perfectly. nat-start seemed to be the correct file but at 1st i just had it in both. when I removed firewall-start it then allowed HTTP access on port 80 but im setting up an http server anyway so I just put the portforward in the vrtual server page to where the new server will be and that seems to have it. Thanks very much =).

https isn't really anymore secure enabling configure over wan is always a giant security hole

It was my understanding that HTTPS connections are encrypted and this means that packet sniffers are unable to read the username and password in plaintext?
The network I would predominatly be configuring things for block all but a few outgoing connections. Not every computer has the same outgoing ports open in the firewall so I need this to setup some portforwards to allow certain programs to reach things running on my server.