Whitelist filtering with port forwards?

[dumping99]

I have a IP security video camera. I would like to open up a port forward on my router to the internal camera but only accept incoming connections on a limited set of about 10 unique (and non sequential) IP addresses. The incoming connection addresses are fixed and static. I don't want the entire Internet to have access.

This was easy to do using my previous Tomato based firewall because the port forwarding table allowed you to specify both external and internal IP addresses.

For example (addresses are made up):

Prot, Ext Address, Ext Port, Int Port, Int Address

TCP, 189.41.125.21, 8086, 80, 192.168.1.160
TCP, 189.41.134.215, 8086, 80, 192.168.1.160
TCP, 189.41.136.212, 8086, 80, 192.168.1.160
UDP, 189.41.125.21, 8086, 80, 192.168.1.160
UDP, 189.41.134.215, 8086, 80, 192.168.1.160
UDP, 189.41.136.212, 8086, 80, 192.168.1.160

I have a vague understanding of IPTables. How would I configure my firewall to do this?

 

[RMerlin]

See this Wiki article:

https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips

 

[dumping99]

thanks for the link.

Do I just create a line like that example for each and every incoming static IP address that I want to whitelist?

 

[RMerlin]

thanks for the link.

Do I just create a line like that example for each and every incoming static IP address that I want to whitelist?

That would be the simplest, yes. Unless you decide to allow the whole /16 subnet, which might be more efficient, but less secure.

 

[dumping99]

the script is not working. Is there some syntax I need to do that is different if I am using multiple lines of this:


iptables -t nat -I VSERVER 3 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100

Right now I am have ten of the above lines in my nat-start file located in the /jiffs/scripts/ directory. Each entry has the 10.10.10.10 and 192.168.1.100 replaced with my own required addresses.

where will I see error messages if there are any?

 

[ColinTaylor]

What happens if you enter one of those statements in the command line of the router?

Do you get an error like this by any chance?

iptables: Index of insertion too big

If so change "VSERVER 3" to "VSERVER 1" in your commands.

 

[dumping99]

What happens if you enter one of those statements in the command line of the router?

Do you get an error like this by any chance?

iptables: Index of insertion too big

If so change "VSERVER 3" to "VSERVER 1" in your commands.

Yes that is exactly the error message I get when manually typing in the command string. I typed in the VSERVER 1 instead and the error message went away.

I updated the nat-start script, but it is still not working. Furthermore, if I go into the command line on the router and type in the following:

iptables -t nat -L -nv

The VSERVER entries are missing. So in addition to the VSERVER 3 vs 1, there is now a second problem that the script is not getting executed.

One more bit of info, I am actually using multiple lines of commands like this in my script (note the port 8086 to port 80 NATing, IP addresses are madeup in this example)

iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 189.41.125.121 --dport 8086 -j DNAT --to 192.168.1.160:80


Thank you for the continued help.

 

[RMerlin]

Make sure you enable port forwarding under Virtual Server on the router's webui, otherwise I'm not sure if the VSERVER chain gets used at all.

 

[ColinTaylor]

Make sure you enable port forwarding under Virtual Server on the router's webui, otherwise I'm not sure if the VSERVER chain gets used at all.

On my setup I don't have port forwarding turned on (WAN > Virtual Server / Port Forwarding > Enable Port Forwarding), but I do have UPnP enabled (WAN > Internet Connection > Enable UPnP) which creates an entry in the VSERVER chain.

I updated the nat-start script, but it is still not working. Furthermore, if I go into the command line on the router and type in the following:

iptables -t nat -L -nv

The VSERVER entries are missing. So in addition to the VSERVER 3 vs 1, there is now a second problem that the script is not getting executed.

Post the whole of the nat-start script so that we can see if there are any errors.

 

[dumping99]

here is the nat-start file that is stored in
/jffs/scripts/nat-start

the IP addresses have been altered for privacy.
------

#!/bin/sh
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 9.9.108.170 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 99.62.33.252 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 99.62.34.35 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 99.62.34.60 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 99.62.34.173 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 99.62.39.22 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 99.62.43.145 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 99.62.46.148 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 99.62.61.115 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 99.62.61.102 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 177.215.117.101 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 177.215.116.89 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 177.215.116.88 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 177.215.116.39 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 177.215.116.36 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 194.41.136.212 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 194.41.134.215 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 194.41.125.21 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 194.41.123.17 --dport 8086 -j DNAT --to 192.168.1.168:80
iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 194.41.117.214 --dport 8086 -j DNAT --to 192.168.1.168:80

 

[ColinTaylor]

Well I can't see anything obviously wrong with that, but as you say it seems like the script isn't running on boot-up.

Have you done a "chmod 777 /jffs/scripts/nat-start" ?

Does the script run OK from the command prompt?

# /jffs/scripts/nat-start

Try putting "touch /tmp/000natstarted" as the second line of your script. Reboot and see if it has created that file. If not the script isn't running.

 

[dumping99]

I executed the chmod 777 as you have recommended. Previously the file rights were set to execute for all three anyway.

when I goto the command line and run:

/jffs/scripts/nat-start

I get the following error:
-sh: /jffs/scripts/nat-start: not found

Which is strange since I know the file is there.

 

[RMerlin]

This is probably an encoding issue. Don't use Windows's notepad to create a Linux script, it will save it with Windows encoding, which can't be executed by a Linux shell.

Use either a Linux editor such as nano or vi, or use Notepad++ under Windows, making sure it's set to save in UNIX format. See this page for more info on how to convert encoding in notepad++:

http://techtips-it.blogspot.ca/2011/04/can-i-convert-file-format-in-notepad.html

 

[dumping99]

This is probably an encoding issue. Don't use Windows's notepad to create a Linux script, it will save it with Windows encoding, which can't be executed by a Linux shell.

Use either a Linux editor such as nano or vi, or use Notepad++ under Windows, making sure it's set to save in UNIX format. See this page for more info on how to convert encoding in notepad++:

http://techtips-it.blogspot.ca/2011/04/can-i-convert-file-format-in-notepad.html

Ok it was an encoding issue to get the script recognized by merlin.

I dont have notepad++ but I used EditPad Lite for Windows. I tried several encoding formats. The one that worked for merlin is: UNIX (LF only) and ISO 8859-1 encoding.

Now I am need to do more testing to see if my port forwards are working.

 

[dumping99]

Thanks to all for the help. Everything is working as it should.

I am now a contributor and convert to merlin, Donation sent to asuswrt-merlin.

 

[the_townie]

Hey guys,

I've been trying to accomplish a similar task. I'm hoping you all might be able to chime in and help me figure this out.

I want to essentially do the same thing as dumping99. I have a block of external ip addresses:
8.x.x.0/24 using ports 5060 and 5004
that I want to connect to an internal ip:
192.168.100.175 using ports 5060 and 5004

I've created the file with the right coding:
UNIX and ISO 8859-1

I'm just getting hung up with how to write the script. I've used this as a guide.

iptables -t nat -I VSERVER 3 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100

However, I need the protocol to be udp. Would anyone be willing to help me write it out? I am very new to this.

I tried this:

#!/bin/sh
touch /tmp/000wanstarted
#Allow port forward from VOIP Provider to VOIP Phone
iptables -t nat -I VSERVER 3 udp -m udp -s 8.20.94.0/24 --dport 5060 -j --to 192.168.100.175:5060
iptables -t nat -I VSERVER 3 udp -m udp -s 8.20.94.0/24 --dport 5004 -j --to 192.168.100.175:5004

but I don't think it's working. If I run

/jffs/scripts/nat-start

I get this message

Bad argument `udp'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `udp'
Try `iptables -h' or 'iptables --help' for more information.

Is there a way to clean it up and how can I test to see that it's working?

Thanks!

 

[Martineau]

Hey guys,

I've been trying to accomplish a similar task. I'm hoping you all might be able to chime in and help me figure this out.

I want to essentially do the same thing as dumping99. I have a block of external ip addresses:
8.x.x.0/24 using ports 5060 and 5004
that I want to connect to an internal ip:
192.168.100.175 using ports 5060 and 5004

I've created the file with the right coding:
UNIX and ISO 8859-1

I'm just getting hung up with how to write the script. I've used this as a guide.

However, I need the protocol to be udp. Would anyone be willing to help me write it out? I am very new to this.

I tried this:

#!/bin/sh
touch /tmp/000wanstarted
#Allow port forward from VOIP Provider to VOIP Phone
iptables -t nat -I VSERVER 3 udp -m udp -s 8.20.94.0/24 --dport 5060 -j --to 192.168.100.175:5060
iptables -t nat -I VSERVER 3 udp -m udp -s 8.20.94.0/24 --dport 5004 -j --to 192.168.100.175:5004

but I don't think it's working. If I run

/jffs/scripts/nat-start

I get this message

Is there a way to clean it up and how can I test to see that it's working?

Thanks!

Look carefully at the example you copied, the '-p tcp' defines the protocol you wish to use, alas you have omitted the '-p' before the 'udp'.....not sure if the default '-j' argument will apply or is also missing,,,and why did you tag the port number onto the end of the target I/P address....the example doesn't do it??

Regards,

 

[the_townie]

Thanks Martineau for pointing that out. After I look at something so long, it's hard to see errors.

As for the port number being tagged onto the end of the target I/P address, I was following a previous post. Dumping99 was wanting to go from port 8086 to 80. I assumed I would need to do that as well.

Like I said, if there is a way to clean it up and make it better, I'm all for it. I just don't have the experience to know how. (yet) I'm learning.

I'll make the change and see if I get the error. What else can I do to test to see if it is working as it should?

 

[the_townie]

I also noticed I left out DNAT

#!/bin/sh
touch /tmp/000wanstarted
#Allow port forward from VOIP Provider to VOIP Phone
iptables -t nat -I VSERVER 1 -p udp -m udp -s 8.xx.xx.0/24 --dport 5060 -j DNAT --to 192.168.100.175:5060
iptables -t nat -I VSERVER 1 -p udp -m udp -s 8.xx.xx.0/24 --dport 5004 -j DNAT --to 192.168.100.175:5004

Once I entered that in, I got the error that

Index of insertion too big.

so, I changed it from a 3 to a 1 as recommended in a previous post.

Once I did that, I did not receive any errors.

Now, how can I verify that all is working as it should be?

 

[Martineau]

I also noticed I left out DNAT


Once I entered that in, I got the error that
so, I changed it from a 3 to a 1 as recommended in a previous post.

Once I did that, I did not receive any errors.

Now, how can I verify that all is working as it should be?

Hmmm tricky question given you refer to VOIP...perhaps get someone to call you?

But if you wish to confirm/verify the state of your iptables modifications rather than the expected results, then interrogate the tables

e.g.

iptables -t nat -L -nv --line