ASUS RT-N66U Router Query

[windowsnt]

I am using the Asus RT-N66U on a fixed IP (WAN side) to port forward inbound traffic on Ports 80 and 3306 to an XP box on our LAN running Apache and MySQL - that provides interactive membership information to our external web site.

Everything runs fine but recently our Credit Card Merchandising Provider has upgraded their machine from old fashioned dial-up to a LAN based device - and their "mandatory" scans of our network have thrown up a whole bunch of security issues with Apache and MySQL.

We can get the developers to upgrade our systems to close all these security holes (which will cost a lot of money and might be a never ending affair) or we can try and do something clever with the Asus to by-pass the issue altogether - hence my post.

What I would like to do is have Port 80 and Port 3306 inbound traffic forwarded to our XP Box (IP=192.168.1.2) as before - BUT only accept this traffiic if it is coming from the (public) IP address of our external web site. The Credit Card merchandiser will accept a solution like this if I can implement it.

I have read through the documentation and I cannot see a way that the Asus can do this - but others might know better than me - and I would welcome any ideas & suggestions.

Thanks in advance.



Steven

 

[RMerlin]

You could switch to my firmware or Tomato, and manually configure the port forward through iptables. In that case, you can define which IPs are allowed to be forwarded, while other connection attempts will be rejected. This would take maybe 30-60 minutes for a tech who's familiar with iptables.

Another solution is to secure it on the server's end, rejecting connection attempts from IPs others than your remote server.

The safest solution would be to establish a VPN between the remote server and the local server, and have all SQL connection attempts go through that tunnel. This would be MUCH safer than having SQL transactions going in the clear over the Internet.

Having a business-class firewall/VPN appliance such as a Netscreen would be the ideal solution IMHO. If you are processing credit card information, don't skim on the security. Large corporations did that mistake, you've seen how many of them got compromised in the past few years.

Even an access list can be bypassed by someone skilled and determined enough to do it, hence the need for a VPN-based solution.

 

[windowsnt]

Re: 'ASUS RT-N66U Router Query'‏

Thank you very much for your reply RMerlin.

On balance I would like to try using your firmware and iptables to remedy this issue. The costs involved for upgrading Apache / MySQL etc cannot really be justified consider how small my client is.

I am a reasonably experienced IT man but have not used ipTables before and would be grateful if you could point me to resource you know of - and I will be googling away as well.

I can see your site at :- https://github.com/RMerl/asuswrt-merlin and will work from that. but for some reason I cannot see the mediafire site at the moment.

The one thing I need to know is how to back out of a firmware upgrade if it fails for any reason. At the moment the router is on 3.0.0.4.374_979.

Thank you again.


Steven