What's new

New RT-AC86U online, need advice on setting up SSHD

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

GK59

Regular Contributor
Hi, I took delivery today of this marvelous piece of equipment, a real beauty she is and promptly did a 30/30/30 reset and installed Merlin 384.4_2 FW and is up and running 5x5. I would like to know of a good guide for setting up SSHD on this particular model where I'd like to use an ECDSA key and overall hardening of the router. I have PuTTY and also XShell 5 to use. I run Cloudfare's DNS servers (1.1.1.1, 1.0.0.1) in the "WAN DNS Setting" section but would it benefit me more to use the AiProtection's DNS-based filtering? I've enabled the AiProtection and pass all of it's items in "Router Security Assessment", I'll assume for the moment this is SOP for setting this router up but I may end up tweaking this as time goes on if there is advice to do so, i.e. perf related reasons etc. thanks everyone.

Edit: Are there any privacy related concerns in general with Trend Micro's stuff as I posted here?
 
Last edited:
but would it benefit me more to use the AiProtection's DNS-based filtering?

DNSFilter's goal is to ensure that clients are forced through a specific DNS. It might help protect against rogue DNS usage on your LAN indeed, but it has its negative side-effects, such as affecting LAN-side name resolution.

Edit: Are there any privacy related concerns in general with Trend Micro's stuff as I posted here?

Just to clarify something: DNSFilter is totally unrelated to Trend Micro's engine. DNSFilter is something I've implemented, it strictly relies on iptables.
 
I would like to know of a good guide for setting up SSHD on this particular model where I'd like to use an ECDSA key and overall hardening of the router.

Here's my guide - Don't...

Seriously - your router is the bastion... opening access via any services on the router invites risk to the entire private LAN

If you need to have ssh into your LAN, use a jump-box - Rpi works well there with a fully enabled OpenSSH Server.

If you want to keep things all Asus - buy a TinkerBoard - they're pretty cool...
 
Hi, I took delivery today of this marvelous piece of equipment, a real beauty she is and promptly did a 30/30/30 reset and installed Merlin 384.4_2 FW and is up and running 5x5. I would like to know of a good guide for setting up SSHD on this particular model where I'd like to use an ECDSA key and overall hardening of the router. I have PuTTY and also XShell 5 to use. I run Cloudfare's DNS servers (1.1.1.1, 1.0.0.1) in the "WAN DNS Setting" section but would it benefit me more to use the AiProtection's DNS-based filtering? I've enabled the AiProtection and pass all of it's items in "Router Security Assessment", I'll assume for the moment this is SOP for setting this router up but I may end up tweaking this as time goes on if there is advice to do so, i.e. perf related reasons etc. thanks everyone.

Edit: Are there any privacy related concerns in general with Trend Micro's stuff as I posted here?

Uhmmm....Doing a hard reset with an Asus router may be risky.....you could brick your router....pressing Reset with power off for 5 secs and then maintaining it pressed for 5-10 more seconds after power is ON, will get you to the CFE recovery page.
 
Here's my guide - Don't...

Seriously - your router is the bastion... opening access via any services on the router invites risk to the entire private LAN

If you need to have ssh into your LAN, use a jump-box - Rpi works well there with a fully enabled OpenSSH Server.

If you want to keep things all Asus - buy a TinkerBoard - they're pretty cool...
Thanks for this, I never check from outside the LAN but merely wanted to understand the process was all.


Uhmmm....Doing a hard reset with an Asus router may be risky.....you could brick your router....pressing Reset with power off for 5 secs and then maintaining it pressed for 5-10 more seconds after power is ON, will get you to the CFE recovery page.
Noted, I seem to have read that somewhere but caught myself doing it today, luckily no repercussions thanks.
 
DNSFilter's goal is to ensure that clients are forced through a specific DNS. It might help protect against rogue DNS usage on your LAN indeed, but it has its negative side-effects, such as affecting LAN-side name resolution.



Just to clarify something: DNSFilter is totally unrelated to Trend Micro's engine. DNSFilter is something I've implemented, it strictly relies on iptables.

What are the iptables rules for this? I want to implement this on the ipv6 side in ip6tables, but I can't see the relevant ipv4 rules when I run iptables -L.
 
Look in the nat table.

I guess I am going to have to look at how it is implemented in DNSfilter, because trying to write my own IPv6 rules didn't work (it doesn't work the same way as iptables). I see that it will put in rules for IPv6 if you choose a pre-set, but it won't create any to force the Router config (despite having an IPv6 DNS provided).
 
I guess I am going to have to look at how it is implemented in DNSfilter, because trying to write my own IPv6 rules didn't work (it doesn't work the same way as iptables). I see that it will put in rules for IPv6 if you choose a pre-set, but it won't create any to force the Router config (despite having an IPv6 DNS provided).
What exactly are you trying to do? Force clients on the LAN or force the router itself?
 
What exactly are you trying to do? Force clients on the LAN or force the router itself?

I want all devices to be restricted to the DNS provided by the router's DHCP.

I set the Global Filter Mode to Router and that does fine with IPv4. For IPv6 though, you can still connect to any DNS server, effectively bypassing the DNS filter.

If I use dig with Ipv4, and try to specify a different DNS server, it still connects to the local DNS (I know, because it resolves local zone entries).

Using dig with IPv6, I can connect to any external DNS (when I would like it to at least drop, since redirect may not be an option due to limitations in ip6tables) and it, naturally, does not resolve local entries.

I understand that the DNS Filter will restrict IPv6 if you choose a pre-set from the list, but I am having trouble recreating that for my own custom solution. It seems setting it to Router, or providing a custom IPv4 address, does not put any restrictions on the IPv6 side.
 
I don't use the same firmware as you, but I think there is a bug in the IPv6 implementation of DNSFilter.

Try setting it up as you would expect (Global Filter Mode = Router) and then issue the following command. It should drop the IPv6 query, which is what it does when setup for individual clients:

ip6tables -t mangle -A DNSFILTER -j DROP

I can't test this myself because I don't have my system setup for IPv6 (or the same firmware).

P.S. What do you get from the following:

ip6tables-save -t mangle | grep -i dns
 
# ip6tables -t mangle -A DNSFILTER -j DROP
ip6tables: No chain/target/match by that name.

# ip6tables-save -t mangle | grep -i dns
returns nothing
 
I have some experience with iptables, but apparently it is not translating over to ip6tables for me.
 
Ah, OK. I think it's the differences between our firmware :rolleyes:. Could you post the complete output of:

ip6tables-save

Mask your external IP address if necessary.
 
Code:
# Generated by ip6tables-save v1.4.15 on Sun Jun  3 20:51:39 2018
*mangle
:PREROUTING ACCEPT [1:72]
:INPUT ACCEPT [1:72]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:64]
:POSTROUTING ACCEPT [1:64]
COMMIT
# Completed on Sun Jun  3 20:51:39 2018
# Generated by ip6tables-save v1.4.15 on Sun Jun  3 20:51:39 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:64]
:NSFW - [0:0]
:PControls - [0:0]
:UPNP - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i eth0 -p ipv6-crypt -j ACCEPT
-A INPUT -i eth0 -p ipv6-auth -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 547 --dport 546 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT
-A INPUT -j logdrop

[snipped entries related to time restricted devices in parental controls]

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A FORWARD -j logdrop
-A OUTPUT -o eth0 -p ipv6-crypt -j ACCEPT
-A OUTPUT -o eth0 -p ipv6-auth -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A PControls -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Sun Jun  3 20:51:39 2018
 
I think I might have a solution. I should have looked at ip6tables-save with one of the preset DNS filter selections and reversed back earlier, instead of trying to roll my own... For some reason that did not occur to me until you had me look at that output again.
 
Hmm, that's strange. I don't see anything at all to do with DNS.

Could you reconfigure DNSFilter so that it's filtering an individual client and then issue the same command.

EDIT: OK looks like you've thought of that.
 
Nevermind that did not work... Doing what you suggested, I got this (looks like it merely added a couple lines referring to DNSFILTERF and DNSFILTERI):

Code:
# Generated by ip6tables-save v1.4.15 on Sun Jun  3 21:13:20 2018
*mangle
:PREROUTING ACCEPT [22:1964]
:INPUT ACCEPT [3:440]
:FORWARD ACCEPT [19:1524]
:OUTPUT ACCEPT [1:64]
:POSTROUTING ACCEPT [5:328]
:DNSFILTERF - [0:0]
:DNSFILTERI - [0:0]
COMMIT
# Completed on Sun Jun  3 21:13:20 2018
# Generated by ip6tables-save v1.4.15 on Sun Jun  3 21:13:20 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:64]
:NSFW - [0:0]
:PControls - [0:0]
:UPNP - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i eth0 -p ipv6-crypt -j ACCEPT
-A INPUT -i eth0 -p ipv6-auth -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 547 --dport 546 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT
-A INPUT -j logdrop

[snipped entries related to time restricted devices in parental controls]


-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A FORWARD -j logdrop
-A OUTPUT -o eth0 -p ipv6-crypt -j ACCEPT
-A OUTPUT -o eth0 -p ipv6-auth -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A PControls -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Sun Jun  3 21:13:20 2018

When I tried to write my own versions of the rules DNSFILTER had added, they did not work. I had to add the DNSFILTERI and DNSFILTERF chains, but I'm not entirely sure how they are being created by the firmware itself, so may not have been complete.

Here is what it looks like if I pick the Yandex Safe Global Filter Mode:

Code:
# Generated by ip6tables-save v1.4.15 on Sun Jun  3 21:19:00 2018
*mangle
:PREROUTING ACCEPT [47:9808]
:INPUT ACCEPT [6:984]
:FORWARD ACCEPT [10:2385]
:OUTPUT ACCEPT [1:72]
:POSTROUTING ACCEPT [17:3104]
:DNSFILTERF - [0:0]
:DNSFILTERI - [0:0]
-A INPUT -i br0 -p udp -m udp --dport 53 -j DNSFILTERI
-A INPUT -i br0 -p tcp -m tcp --dport 53 -j DNSFILTERI
-A FORWARD -i br0 -p udp -m udp --dport 53 -j DNSFILTERF
-A FORWARD -i br0 -p tcp -m tcp --dport 53 -j DNSFILTERF
-A DNSFILTERF -d 2a02:6b8::feed:bad/128 -j ACCEPT
-A DNSFILTERF -d 2a02:6b8:0:1::feed:bad/128 -j ACCEPT
-A DNSFILTERF -j DROP
-A DNSFILTERI -d 2a02:6b8::feed:bad/128 -j ACCEPT
-A DNSFILTERI -d 2a02:6b8:0:1::feed:bad/128 -j ACCEPT
-A DNSFILTERI -j DROP
COMMIT
# Completed on Sun Jun  3 21:19:00 2018
# Generated by ip6tables-save v1.4.15 on Sun Jun  3 21:19:00 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:72]
:NSFW - [0:0]
:PControls - [0:0]
:UPNP - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i eth0 -p ipv6-crypt -j ACCEPT
-A INPUT -i eth0 -p ipv6-auth -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 547 --dport 546 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT
-A INPUT -j logdrop

[snipped time restricted entries]

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A FORWARD -j logdrop
-A OUTPUT -o eth0 -p ipv6-crypt -j ACCEPT
-A OUTPUT -o eth0 -p ipv6-auth -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A PControls -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Sun Jun  3 21:19:00 2018
 
I have been adding my manual configuration attempts to firewall-start. I'm mentioning that in case that is the problem.
 
I looked at /tmp/
mangle_rules_ipv6.dnsfilter and it seems to have configurations for DNS Filter, but they are not quite what I would expect:

Code:
/tmp# cat mangle_rules_ipv6.dnsfilter
*mangle
:DNSFILTERI - [0:0]
:DNSFILTERF - [0:0]
-A INPUT -i br0 -p udp -m udp --dport 53 -j DNSFILTERI
-A INPUT -i br0 -p tcp -m tcp --dport 53 -j DNSFILTERI
-A FORWARD -i br0 -p udp -m udp --dport 53 -j DNSFILTERF
-A FORWARD -i br0 -p tcp -m tcp --dport 53 -j DNSFILTERF
-A DNSFILTERI -m mac --mac-source [device w/ no filtering] -j ACCEPT
-A DNSFILTERF -m mac --mac-source [device w/ no filtering] -j ACCEPT
-A DNSFILTERI -d [allowed DNS server IPv4 address] -j ACCEPT
-A DNSFILTERF -d [allowed DNS server IPv4 address] -j ACCEPT
-A DNSFILTERI -j ACCEPT
-A DNSFILTERF -j DROP
COMMIT

None of that shows up in either iptables-save or ip6tables-save.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top