What are these iptables rules -j chains for ?

[Denna]

What are these iptables rules -j names for ?

PTCSRVLAN
PTCSRVWAN
ipttolan
iptfromlan​

 

[Denna]

Are these undocumented ?

 

[Martineau]

Are these undocumented ?

Well they are perhaps documented in the source code

e.g. firewall.c

IP Traffic monitoring ipttolan/iptfromlan

// Setup traffic accounting
2304 if (nvram_match("cstats_enable", "1")) {
2305 fprintf(fp, ":ipttolan - [0:0]\n:iptfromlan - [0:0]\n");

 

[Denna]

@Martineau,

I searched the Asuswrt-Merlin github repository, but didn't find any references to "firewall.c", "PTCSRVLAN" or "PTCSRVWAN".​

 

[Bamsefar]

Anyone ? @RMerlin maybe?

 

[Martineau]

Anyone ? @RMerlin maybe?

Many items in the code usually only hardcode the prefix, so there are definitely partial references.

So this may indicate the SSH (dropbear) protection mechanism for the LAN/WAN i.e. PTCSRVWAN,PTCSRVLAN

e.g.

protect_srv.h

/*  IPTABLES SETTING
---------------------------------*/
#define PROTECT_SRV_RULE_CHAIN                "PTCSRV"
#define PROTECT_SRV_RULE_FILE                 "/tmp/ipt_protectSrv_rule"

indicating just statistics reporting.

 

[Bamsefar]

Thanks!

Someday it would be nice if one could choose what is and not is "open" so to speak - I simply fail to see the use of the mentioned chains...

 

[RMerlin]

Thanks!

Someday it would be nice if one could choose what is and not is "open" so to speak - I simply fail to see the use of the mentioned chains...

By default, nothing at all is open to the WAN.

This new protection service from Asus is just another layer of security, mostly for people who do expose their SSH/FTP to the WAN. Can't say I'm a fan of how they implemented it however... I'm still unsure whether I want to keep this enabled or not in the future, especially as the newer version of that code is now closed source.

 

[RMerlin]

iptfromlan and ipttolan are used by IPTraffic for client traffic accounting.