RT-AC87U Problem start script to block open ports! Asus Merlin 380.59

[Annelise Mikhouser]

Hello Guys,
in advance I would apologize for my bad English.

I use the OpenVPN Client on my Router to route my internet traffic over VPN. Over the normal WAN IP the ports are not accessible from outside. But when I enable my VPN Connection via "Client 2" some ports are open from outside. The VPN provider doesn't firewall my VPN WAN IP. When I do a portscan some ports are open (Port 22, 80, 433 and so on)! So I need to firewall the tun interface with some iptables.

But unfortunately I don’t get these rules to run :\
I hope someone can help me to find the right commands to solve this problem.

My settings / my procedure:

- I am running an Asus AC87U with Firmware Asus Merlin 380.59.

- I have OpenVPN - Client 2 configured, so that my internet traffic
is routed over VPN (Client 2 with policy rules and static ip's for each device= killswitch is activated)

- I have a SSH access via Putty to the Router (Administration – System – Enable SSH – LAN only)

- I formatted and enabled the JFFS Partition. It seems to be mounted:

rootfs on / type rootfs (rw)

/dev/root on / type squashfs (ro,relatime)

devtmpfs on /dev type devtmpfs (rw,relatime,size=127740k,nr_inodes=31935,mode=755)

proc on /proc type proc (rw,relatime)

tmpfs on /tmp type tmpfs (rw,relatime)

sysfs on /sys type sysfs (rw,relatime)

devpts on /dev/pts type devpts (rw,relatime,mode=600)

/dev/mtdblock4 on /jffs type jffs2 (rw,noatime)

usbfs on /proc/bus/usb type usbfs (rw,relatime)

XXX@RT-AC87U-D970:/tmp/home/root#

XXX@RT-AC87U-D970:/tmp/home/root#


- I have found the right VPN Interface with the command “ifconfig”

tun12
Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:XX.XX.X.X P-t-P:XX.XX.X.X Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:16114796 errors:0 dropped:0 overruns:0 frame:0
TX packets:8709101 errors:0 dropped:16676 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3993608687 (3.7 GiB) TX bytes:487072189 (464.5 MiB)


- I tried to set iptables via firewall-start (alternate with nat-start):

I. "cd /jffs/scripts/firewall-start"

II. "vi firewall-start"

III. I put this commands inside the file

#!/bin/sh

iptables -I INPUT -i tun12 -p tcp --dport 22 -m state --state NEW -j DROP

iptables -I INPUT -i tun12 -p tcp --dport 80 -m state --state NEW -j DROP

logger -t firewall-start services start script finished

or

#!/bin/sh

iptables -I INPUT -i tun12 -p tcp --dport 22 -j DROP

iptables -I INPUT -i tun12 -p tcp --dport 80 -j DROP

logger -t firewall-start services start script finished


IV. ":wq" -> save and quit

V. "chmod a+rx /jffs/scripts/firewall-start"

VI. "chmod 777 firewall-start"

After I restart the router nothing happens/no script is starting when I look into the syslog???

When I want to start the script manually with “/firewall-start” I get this output:
-sh: firewall-start: not found

The logger only shows a sys-log when I push the command "./firewall-start":
Nov 7 18:49:11 firewall-start: services start script finished

...but the ports are still open when i do a portscan again. The script does not seem to start. What I’m doing wrong?

THX for your Support

 

[Zirescu]

Did you pay for your own WAN IP address through your provider? If not, than you're just seeing the ports that are open at the VPN providers end point and shouldn't be routable to your network.

 

[Annelise Mikhouser]

Did you pay for your own WAN IP address through your provider? If not, than you're just seeing the ports that are open at the VPN providers end point and shouldn't be routable to your network.

I get a shared IP from my VPN provider, not a dedicated ip. but that's not the point. i want't to block all incoming traffic over the open ports like in this cases:
http://www.snbforums.com/threads/ss...an-even-though-this-option-is-disabled.17222/
http://www.snbforums.com/threads/ro...rnet-when-an-openvpn-client-is-running.23743/

Is it important to add .sh at the end of firewall-start? I just want to set some iptables as a script in my firewall.
how can i do this right?

 

[Zirescu]

In each of the cases above the VPN provider is providing a dedicated unique IP address to them.

 

[Annelise Mikhouser]

In each of the cases above the VPN provider is providing a dedicated unique IP address to them.

Ok, but i still want to set iptables to block all internet traffic from outside over these ports. My VPN provider can use these open ports too and i just want to block incomming traffic over open ports for all.

So, please help me to push a script with iptaples that works. I have been trying to run a script for a few days and it is very frustrating for me :/

 

[Zirescu]

The port scan that is being performed is against the VPN provider system and not your system. Those ports are not routable to your system. You will always see those ports open/closed when you perform the test no matter what changes you make on your system.

The reason that script will work for someone else is because they've purchased a dedicated public IP address from their VPN provider. When this is option is purchased often there is no firewall enabled and therefore all the ports that are open on the router are visible.

In the system log you'll likely see something like this:

custom script: Running /jffs/scripts/firewall-start

 

[Annelise Mikhouser]

Thank you for your explanation. Nevertheless, I would like to bring firewall rules to run. Even if it no longer fits the title of my thread
"custom script: Running /jffs/scripts/firewall-start"does not appear in the system log. Also not after a restart of the router.

When I start the script manually with "sh firewall-start" I get these output from logger:
"firewall-start: services start script finished"

here is my current script:

#!/bin/sh
touch /tmp/000wanstarted

iptables -I INPUT -i tun12 -p tcp --dport 22 -m state --state NEW -j DROP
iptables -I INPUT -i tun12 -p tcp --dport 80 -m state --state NEW -j DROP
iptables -I INPUT -i tun12 -p tcp --dport 443 -m state --state NEW -j DROP

logger -t firewall-start services start script finished

How can I check if the script is running? I don't know how I can look into the "000wanstarted" file or how I can make a check otherwise...

Thanks a lot for your help!

 

[Zirescu]

The script just issues the commands that are in the file, it doesn't run continuously. You should get the following in the system log output even when run manually.

Nov 11 12:14:49 firewall-start: services start script finished

You should also see a 0 byte file in /tmp with 000wanstarted as the filename.

The firewall-start file should reside in /jffs/scripts/ not in a subdirectory inside that folder.

 

[john9527]

"custom script: Running /jffs/scripts/firewall-start"does not appear in the system log. Also not after a restart of the router.

Not to be a wise guy, but do you have the option to run custom scripts and configs enabled (under Administration > System)

 

[Annelise Mikhouser]

Not to be a wise guy, but do you have the option to run custom scripts and configs enabled (under Administration > System)

yes john, i have the option enabled for custom scripts and configs...

 

[Annelise Mikhouser]

The script just issues the commands that are in the file, it doesn't run continuously. You should get the following in the system log output even when run manually.

Nov 11 12:14:49 firewall-start: services start script finished

You should also see a 0 byte file in /tmp with 000wanstarted as the filename.

The firewall-start file should reside in /jffs/scripts/ not in a subdirectory inside that folder.

so, when i disable the ssh option in my router under "administration" i get the following entry in my sys log:
Nov 11 21:13:41 syslogd started: BusyBox v1.20.2
Nov 11 21:13:41 kernel: klogd started: BusyBox v1.20.2 (2016-05-10 11:46:09 EDT)
Nov 11 21:13:41 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Nov 11 21:13:41 custom script: Running /jffs/scripts/firewall-start (args: eth0)
Nov 11 21:13:41 RT-AC87U: start httpd - SSL
Nov 11 21:13:42 firewall-start: services start script finished
Nov 11 21:13:42 hour monitor: daemon is starting
Nov 11 21:13:42 miniupnpd[1196]: HTTP listening on port 40461
Nov 11 21:13:42 miniupnpd[1196]: Listening for NAT-PMP/PCP traffic on port 5351

how can i look into the file "000wanstarted" to check for errors with putty?
go to /tmp und look into the file with the command "vi 000wanstarted" (no entries should be inside)?

 

[octopus]

Is it important to add .sh at the end of firewall-start? I just want to set some iptables as a script in my firewall.
how can i do this right?

If you have add .sh after firewall-start remove that. it shouldn't be there.

 

[john9527]

how can i look into the file "000wanstarted" to check for errors with putty?

All that file is is a marker. You need to to check the file's timestamp to see when it was 'touched' to verify it matches when the script as run. (Cloudfare won't let me enter the command , hopefully you know it)

 

[Annelise Mikhouser]

If you have add .sh after firewall-start remove that. it shouldn't be there.

hello octopus, i haven't set the ".sh" at the end of firewall-start

 

[Annelise Mikhouser]

All that file is is a marker. You need to to check the file's timestamp to see when it was 'touched' to verify it matches when the script as run. (Cloudfare won't let me enter the command , hopefully you know it)

hello john, unfortunately i don't know the command to check the file's timestamp

 

[john9527]

hello john, unfortunately i don't know the command to check the file's timestamp

lxs -l /tmp/000wanstarted

take the 'x' out of the first word

 

[Annelise Mikhouser]

lxs -l /tmp/000wanstarted

take the 'x' out of the first word

hey john, i get these output with your command:
XXX@RT-AC87U-D970:/jffs/scripts# l(x)s -l /tmp/000wanstarted
-rw-rw-rw- 1 XXX root 0 Nov 23 04:23 /tmp/000wanstarted

 

[Annelise Mikhouser]

I still wonder about my vpn provider. Why do they have some ports open? Even if it's a shared ip. Why does a vpn provider do something like that? What is the intention behind it?

 

[Zirescu]

Hosting multiple services behind a single IP address is the likely explanation. 80 and 443 are used for websites, 22 is generally for administrating servers via the command line.