AC68U firewall ipstable

[samueleycw]

Hello , I am the newbies. May I know that how can i access AC68U to edit the iptable.
There are some IP which I want to block it with the script via iptable.
May i know what the step is? Thank you for your help.

I have enable SSH and using the Putty to connect the AC68U.

 

[CiscoX]

Hello , I am the newbies. May I know that how can i access AC68U to edit the iptable.
There are some IP which I want to block it with the script via iptable.
May i know what the step is? Thank you for your help.

I have enable SSH and using the Putty to connect the AC68U.

Hi

Maybe this is what you looking for?

https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips

 

[samueleycw]

Hi

Maybe this is what you looking for?

https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips

Sorry , I read it but still not very sure that where i can edit to add the iptable such as " iptables -t nat -I VSERVER 3 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100 "

 

[Martineau]

Sorry , I read it but still not very sure that where i can edit to add the iptable such as " iptables -t nat -I VSERVER 3 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100 "

The excellent documentation is here..

https://github.com/RMerl/asuswrt-merlin/wiki

Read the usage section for user scripts and customisation of configuration scripts

 

[samueleycw]

The excellent documentation is here..

https://github.com/RMerl/asuswrt-merlin/wiki

Read the usage section for user scripts and customisation of configuration scripts

I try my best to read it however i am newbies and need more guidelines if you can please teach me step by step and the documentation is hard to understand so I post this thread to ask from your help ( sorry about that my mother is not English).

PS: May i know that the /jffs directory is empty and no any conf file ?

How can do the same thing likes ( before i am using DDWRT )

 

[samueleycw]

Please help

drwxr-xr-x 2 Samuel root 0 Dec 1 08:00 configs
drwxr-xr-x 2 Samuel root 0 Dec 1 08:00 scripts
drwxrwxrwx 2 Samuel root 0 Feb 11 11:57 signature
-rw-rw-rw- 1 Samuel root 260544 Feb 14 09:50 syslog.log
-rw-rw-rw- 1 Samuel root 0 Feb 14 10:03 wrs_vp.txt

 

[Martineau]

Please help

drwxr-xr-x 2 Samuel root 0 Dec 1 08:00 configs
drwxr-xr-x 2 Samuel root 0 Dec 1 08:00 scripts
drwxrwxrwx 2 Samuel root 0 Feb 11 11:57 signature
-rw-rw-rw- 1 Samuel root 260544 Feb 14 09:50 syslog.log
-rw-rw-rw- 1 Samuel root 0 Feb 14 10:03 wrs_vp.txt

Directories /jffs/configs and /jffs/scripts are empty by default until you manually create the customisation files.

From a SSH/TELNET prompt issue:

iptables -t nat -L -nv --line

this should show you the current VSERVER entries, then manually issue your command to add the RDP entry

iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
iptables -t nat -L -nv --line

If you wish to permanently add the rule after every reboot of the router then you will need to create a custom script

e.g.

echo "#!/bin/sh" >/jffs/scripts/nat-start
echo "iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100" >>/jffs/scripts/nat-start

chmod a+rx /jffs/scripts/*

ls /jffs/scripts

reboot




However, if you are unable to comprehend the following as described on the WiKi page:

Creating scripts

Don't forget to set any script you create as being executable:

chmod a+rx /jffs/scripts/*

And like any Linux script, they need to start with a shebang:

#!/bin/sh

Also, you must save files with a UNIX encoding. Note that Windows's Notepad cannot save with a UNIX encoding - get Notepad++ instead. You can also directly edit it on the router through vi (included in the firmware) or nano (available through Optware/Entware) to ensure that your scripts are saved in a valid format.

(or use of WinSCP on a windows platform to perform basic editing of router text configuration files) then I'm afraid AsusWrt-Merlin customisation is probably not for you.

 

[samueleycw]

Directories /jffs/configs and /jffs/scripts are empty by default until you manually create the customisation files.

From a SSH/TELNET prompt issue:

iptables -t nat -L -nv --line

this should show you the current VSERVER entries, then manually issue your command to add the RDP entry

iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
iptables -t nat -L -nv --line

If you wish to permanently add the rule after every reboot of the router then you will need to create a custom script

e.g.

echo "#!/bin/sh" >/jffs/scripts/nat-start
echo "iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100" >>/jffs/scripts/nat-start

chmod a+rx /jffs/scripts/*

ls /jffs/scripts

reboot




However, if you are unable to comprehend the following as described on the WiKi page:



(or use of WinSCP on a windows platform to perform basic editing of router text configuration files) then I'm afraid AsusWrt-Merlin customisation is probably not for you.

Thanks for your help . If Merlin can make the user-friendly Web GUI likes DDWRT firewall page will suit the newbies. It may hard to work with web based ones.

likes:

 

[Martineau]

Thanks for your help . If Merlin can make the user-friendly Web GUI likes DDWRT firewall page will suit the newbies. It may hard to work with web based ones.

likes:

ASUS will probably have to change the Virtual Server/Port Forwarding GUI as they have tried to provide a very simple firewall rule interface for 'newbies'. (I suspect ASUS deliberately tried to over simplify this GUI by omitting the source I/P filtering option of the port forward rules.)

Personally, I believe directly opening the RDP port from the WAN is not good practice.

I would configure an Openvpn Server on the router and only supply the certificate to the 'authorised' remote user/machine, which eliminates the security exposure to the RDP service - Do you really want hackers to attempt to crack the RDP account/password?

P.S. If you must port forward RDP then at least choose a different external port number exposed to the WAN.

So if you are able to use WinSCP, then you now have the 'newbie' cut'n'paste capability to add/remove entries from your iptables customisation for /jffs/scripts/nat-start or even /jffs/scripts/firewall-start

Like most things, it's easy when you know how!

Good luck

 

[RMerlin]

Thanks for your help . If Merlin can make the user-friendly Web GUI likes DDWRT firewall page will suit the newbies. It may hard to work with web based ones.

likes:

Not realistic. For starter, my firmware handles like around 30+ different scripts and custom configs, which would be next to impossible to handle in any sane way through the webui. Also, my firmware really uses actual text files stored in the JFFS partition, while DD-WRT and Tomato are actually storing their 3-4 custom configs in nvram.

 

[samueleycw]

Directories /jffs/configs and /jffs/scripts are empty by default until you manually create the customisation files.

From a SSH/TELNET prompt issue:

iptables -t nat -L -nv --line

this should show you the current VSERVER entries, then manually issue your command to add the RDP entry

iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100
iptables -t nat -L -nv --line

If you wish to permanently add the rule after every reboot of the router then you will need to create a custom script

e.g.

echo "#!/bin/sh" >/jffs/scripts/nat-start
echo "iptables -t nat -I VSERVER 1 -p tcp -m tcp -s 10.10.10.10 --dport 3389 -j DNAT --to 192.168.1.100" >>/jffs/scripts/nat-start

chmod a+rx /jffs/scripts/*

ls /jffs/scripts

reboot




However, if you are unable to comprehend the following as described on the WiKi page:



(or use of WinSCP on a windows platform to perform basic editing of router text configuration files) then I'm afraid AsusWrt-Merlin customisation is probably not for you.

---------------------------------
May you take a look is it correct below:
I have firewall-start:

i use sh /jffs/scripts/firewall-start manually to start the firewall.
If reboot the router and there are no need to sh /jffs/scripts/firewall-start manually . Is it create the init-start in /jffs/scripts/ ? and i don't know the content just copy the firewall-start all script to init-start? Thanks

 

[Martineau]

---------------------------------
May you take a look is it correct below:
I have firewall-start:

i use sh /jffs/scripts/firewall-start manually to start the firewall.
If reboot the router and there are no need to sh /jffs/scripts/firewall-start manually . Is it create the init-start in /jffs/scripts/ ? and i don't know the content just copy the firewall-start all script to init-start? Thanks

To aid debugging, it is best to include lines such as:

logger -s -t "($(basename $0))" $$ Starting.... " $0${*:+ $*}"
logger -s -t "($(basename $0))" $$ Completed.

in your scripts.

When the router boots, as each service is started by the router, if you have created a custom script for that service in /jffs/scripts, then that script will be automatically executed.

e.g. If you issue from the SSH/TELNET prompt

service restart_firewall

then in the syslog (if you have included the logger statements) you will see your custom firewall-start script being executed to apply your iptables rule.

As previously posted, all of the custom scripts are documented on the Wiki page describing how they can be used.

 

[samueleycw]

To aid debugging, it is best to include lines such as:

logger -s -t "($(basename $0))" $$ Starting.... " $0${*:+ $*}"
logger -s -t "($(basename $0))" $$ Completed.

in your scripts.

When the router boots, as each service is started by the router, if you have created a custom script for that service in /jffs/scripts, then that script will be automatically executed.

e.g. If you issue from the SSH/TELNET prompt

service restart_firewall

then in the syslog (if you have included the logger statements) you will see your custom firewall-start script being executed to apply your iptables rule.

As previously posted, all of the custom scripts are documented on the Wiki page describing how they can be used.

Thanks.
You mean now when reboot the router then /jffs/scripts/firewall-start will also being executed? and there are no need to create the another script ?

 

[Martineau]

Thanks.
You mean now when reboot the router then /jffs/scripts/firewall-start will also being executed? and there are no need to create the another script ?

YES

However if you wish you may move your list of custom TCP settings (assuming they are not already available on the Tools->Other settings tab?) to say /jffs/scripts/init-start as strictly speaking they are not related to the firewall.