Custom firewall rules executed multiple times

[nick_max]

Hi Colin,

At reboot, your script works perfectly and applies the custom firewall rules at the top.
I have restarted the firewall manually and after that, the rules are applied on line 6, 7 and 8 (they are no longer at the top). This way the rules make no difference.

Do you know what is happening, please?

Thank you

 

[ColinTaylor]

Can you show me what the new rules are.

 

[nick_max]

Sure, please see below:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- ppp0 * 10.10.10.0/24 0.0.0.0/0
2 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
3 2 118 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
4 0 0 ACCEPT ah -- ppp0 * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT esp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
6 0 0 ACCEPT tcp -- * * xxx.xxx.xxx.xxx 0.0.0.0/0 tcp dpt:xxx
7 0 0 ACCEPT tcp -- * * xxx.xxx.xxx.xxx 0.0.0.0/0 tcp dpt:xxx
8 9 368 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:xxx
9 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
10 0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
11 0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp spt:4500 dpt:4500
12 5 170 DROP icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
13 118K 23M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
14 2901 129K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
15 73291 14M PTCSRVWAN all -- !br0 * 0.0.0.0/0 0.0.0.0/0
16 31057 2083K PTCSRVLAN all -- br0 * 0.0.0.0/0 0.0.0.0/0
17 31057 2083K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
18 68072 14M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
19 5219 331K OVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
20 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
21 0 0 INPUT_ICMP icmp -- * * 0.0.0.0/0 0.0.0.0/0
22 5219 331K DROP all -- * * 0.0.0.0/0 0.0.0.0/0

 

[ColinTaylor]

I think that looks correct. You appear to have another VPN client server running. IPSec?

 

[nick_max]

Yes, that's right, I have an IPSec server running alongside OpenVPN.
When I reboot the router, the OpenVPN rules are applied at the top, but when I restart the firewall they get demoted to line 6-8.
Is there a way to always keep them on 1-3?

Thank you.

 

[ColinTaylor]

Is there a way to always keep them on 1-3?

Why? It doesn't matter as far as the rules blocking access to the OpenVPN server is concerned.

 

[nick_max]

Yes, you're right.
I suppose I would prefer my rules on top because of my OCD

 

[ColinTaylor]

Yes, you're right.
I suppose I would prefer my rules on top because of my OCD

Manually turn the OpenVPN server off and on again and enjoy the rules reappearing at the top.

 

[nick_max]

All right
Thank you so much for all your help and patience.

 

[eibgrad]

FWIW, there are times when the firewall script is called multiple times and the previous firewall rules are NOT deleted. I've specifically seen this w/ tomato routers (of which Merlin is a variant), and seems to happen most often when using multiple bridges. It's as if each instance of a bridge results in a call to the firewall script. For this reason, I usually create my firewall script as follows:

ipt() {
    # precede insert/append w/ deletion to avoid dupes
    iptables ${@/-[IA]/-D} 2> /dev/null
    iptables $@
}

ipt -I INPUT -i br2 -j REJECT
ipt -I INPUT -i br2 -p tcp -j REJECT
...

IOW, every insertion is preceded w/ a deletion for the same rule just in case duplication takes place.