REROUTING ACCEPT [972:111422]OSTROUTING ACCEPT [468:36571]
NSFILTER - [0:0]CREDIRECT - [0:0]UPNP - [0:0]REROUTING ACCEPT [12769:5115012]OSTROUTING ACCEPT [15289:8013704]Controls - [0:0]TCSRVLAN - [0:0]TCSRVWAN - [0:0]
Please post in a CODE blocksorry for the delayed replies. Sometimes rebooting my router sends my cable modem into a tizzy.
Well, this time it seems to have worked. Fired up the game and couldn't connect to any servers. Turned off the"Enable Network Services Filter" and then I could connect again.. Turned the filter back on and unfortunately I stayed connected to the game I was in, and I quit that match and was able to connect to a new one. Closed the game and steam app, and could not connect to a new match.
So, I am partially solved. I want to be able to easily toggle between allowing and not allowing. The radio button to enable / disable the network services filter is pretty decent. Would be cool if I could use scp to just push up the iptables rules I want with just a simple command line. Guessing this is possible. Is it possible to setup ssh authorized hosts for your asus router to allow you to scp / ssh without a password so I could just execute a script to push the right file or execute the right command to turn on / off the network services filter?
Here is my config and iptables-save now.
I have blocked the ports in both directions (I hope) see below:
View attachment 10341
Intere
Here is the output from iptables-save:
# Generated by iptables-save v1.3.8 on Mon Sep 4 09:52:47 2017
*nat
:OUTPUT ACCEPT [464:36411]
:LOCALSRV - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d 97.93.29.121 -j VSERVER
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING -s ! 97.93.29.121 -o eth0 -j MASQUERADE
-A POSTROUTING -m mark --mark 0x8000/0x8000 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 50000 -j DNAT --to-destination 192.168.1.1:50001
-A VSERVER -j VUPNP
-A VSERVER -j LOCALSRV
-A VSERVER -j DNAT --to-destination 192.168.1.105
COMMIT
# Completed on Mon Sep 4 09:52:47 2017
# Generated by iptables-save v1.3.8 on Mon Sep 4 09:52:47 2017
*mangle
:INPUT ACCEPT [6702:1023872]
:FORWARD ACCEPT [8547:4534953]
:OUTPUT ACCEPT [4225:2808615]
:QOSO0 - [0:0]
-A PREROUTING -d 192.168.100.20 -i ! eth0 -j MARK --set-mark 0x8000/0x8000
-A PREROUTING -d 192.168.100.20 -i ! eth0 -j MARK --set-mark 0x8000/0x8000
-A PREROUTING -d 192.168.100.20 -i ! eth0 -j MARK --set-mark 0x8000/0x8000
-A PREROUTING -d 192.168.100.20 -i ! eth0 -j MARK --set-mark 0x8000/0x8000
-A PREROUTING -d 97.93.29.121 -i ! eth0 -j MARK --set-mark 0x8000/0x8000
-A PREROUTING -i eth0 -j CONNMARK --restore-mark --mask 0x7
-A FORWARD -o eth0 -j QOSO0
-A OUTPUT -o eth0 -j QOSO0
-A POSTROUTING -o br0 -j QOSO0
-A QOSO0 -j CONNMARK --restore-mark --mask 0x7
-A QOSO0 -m connmark ! --mark 0x0/0xff00 -j RETURN
-A QOSO0 -p tcp -m tcp --dport 80 -m connbytes --connbytes 0:524287 --connbytes-mode bytes --connbytes-dir both -j CONNMARK --set-return 0x2/0x7
-A QOSO0 -p tcp -m tcp --dport 443 -m connbytes --connbytes 0:524287 --connbytes-mode bytes --connbytes-dir both -j CONNMARK --set-return 0x2/0x7
-A QOSO0 -p tcp -m tcp --dport 80 -m connbytes --connbytes 524288:4294967295 --connbytes-mode bytes --connbytes-dir both -j CONNMARK --set-return 0x3
-A QOSO0 -p tcp -m tcp --dport 443 -m connbytes --connbytes 524288:4294967295 --connbytes-mode bytes --connbytes-dir both -j CONNMARK --set-return 0x
-A QOSO0 -p tcp -m tcp --dport 27014:27050 -m mac --mac-source 60:F8:1D:C1:F9:00 -j CONNMARK --set-return 0x1/0x7
-A QOSO0 -p udp -m multiport --dports 1200,3478,4379:4380,27000:27030 -m mac --mac-source 60:F8:1D:C1:F9:00 -j CONNMARK --set-return 0x1/0x7
-A QOSO0 -p tcp -m tcp --dport 27014:27050 -m mac --mac-source 80:E6:50:0B:86:EA -j CONNMARK --set-return 0x1/0x7
-A QOSO0 -p udp -m multiport --dports 1200,3478,4379:4380,27000:27030 -m mac --mac-source 80:E6:50:0B:86:EA -j CONNMARK --set-return 0x1/0x7
-A QOSO0 -p tcp -m tcp --dport 27014:27050 -m mac --mac-source 60:F8:1D:BD:6E:70 -j CONNMARK --set-return 0x1/0x7
-A QOSO0 -p udp -m multiport --dports 1200,3478,4379:4380,27000:27030 -m mac --mac-source 60:F8:1D:BD:6E:70 -j CONNMARK --set-return 0x1/0x7
-A QOSO0 -d 224.0.0.0/240.0.0.0 -j CONNMARK --set-return 0x6/0x7
-A QOSO0 -d 192.168.1.0/255.255.255.0 -j CONNMARK --set-return 0x6/0x7
-A QOSO0 -j CONNMARK --set-return 0x4/0x7
COMMIT
# Completed on Mon Sep 4 09:52:47 2017
# Generated by iptables-save v1.3.8 on Mon Sep 4 09:52:47 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4542:2913292]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:INPUT_ICMP - [0:0]
:NSFW - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i ! br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m conntrack --ctstate DNAT -m tcp --dport 50001 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth0 -j SECURITY
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A NSFW -i br0 -o eth0 -p udp -m udp --sport 4379:4380 -j DROP
-A NSFW -i br0 -o eth0 -p tcp -m tcp --sport 27000:27100 -j DROP
-A NSFW -i br0 -o eth0 -p udp -m udp --sport 27000:27100 -j DROP
-A NSFW -i br0 -o eth0 -p udp -m udp --dport 4379:4380 -j DROP
-A NSFW -i br0 -o eth0 -p udp -m udp --dport 27000:27100 -j DROP
-A NSFW -i br0 -o eth0 -p tcp -m tcp --dport 27000:27100 -j DROP
-A NSFW -i br0 -o eth0 -j RETURN
-A PControls -j ACCEPT
-A SECURITY -d 192.168.1.105 -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Mon Sep 4 09:52:47 2017
OK, I think I see the problem. Here are the relevant iptables rules:
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth0 -j SECURITY
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A NSFW -i br0 -o eth0 -p udp -m udp --sport 4379:4380 -j DROP
-A NSFW -i br0 -o eth0 -p tcp -m tcp --sport 27000:27100 -j DROP
-A NSFW -i br0 -o eth0 -p udp -m udp --sport 27000:27100 -j DROP
-A NSFW -i br0 -o eth0 -p udp -m udp --dport 4379:4380 -j DROP
-A NSFW -i br0 -o eth0 -p udp -m udp --dport 27000:27100 -j DROP
-A NSFW -i br0 -o eth0 -p tcp -m tcp --dport 27000:27100 -j DROP
-A NSFW -i br0 -o eth0 -j RETURN-I FORWARD -i br0 -o eth0 -p udp -m udp --dport 4379:4380 -j DROP
-I FORWARD -i br0 -o eth0 -p udp -m udp --dport 27000:27100 -j DROP
-I FORWARD -i br0 -o eth0 -p tcp -m tcp --dport 27000:27100 -j DROPThat should be do-able. You can set up passwordless SSH access using certificates.
Actually there's a more sneaky way of doing it
that would still allow you to administer the ports through the GUI, but you could enable/disable them through a script.Actually there's a more sneaky way of doing it
This is the general principle. Setup and enable the NSF as normal, then
Remove the existing call the NSFW:
iptables -D FORWARD -j NSFW
Then add the call back in again at the front of the chain:
iptables -I FORWARD -j NSFW
To disable the NSF just delete the rule again.
Of course every single packet of data moving between the LAN and WAN (and vice versa) will now be checked by that rule, so it's not the most efficient solution but I can't see another way of blocking an already established connection.
No, the built in shell is ash (but it's also called /bin/sh and is part of busybox). Remember, this isn't a Linux distribution it's a small footprint embedded consumer device that Merlin has opened up to allow for user modification.
If you are referring to the URL/keyword filter then that will increasingly be the case for any router as warned about in the GUI:
#!/bin/sh
if [ "$(nvram get fw_lw_enable_x)" = "1" ]
then
logger -t $(basename $0) "Moving NSFW"
iptables -D FORWARD -j NSFW
iptables -I FORWARD -j NSFW
fiSep 5 15:05:23 firewall-start: Moving NSFW
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!
