Default Filter Table

[Denna]

With a default installation of Asuswrt-Merlin 380.65 beta, the following appears in the filter table.

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2028:451152]
:FUPNP - [0:0]
:NSFW - [0:0]
: PControls - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]​

What are the FUPNP, NSFW, PControls and SECURITY chains for ?

 

[Martineau]

What are the FUPNP, NSFW, PControls and SECURITY chains for ?

Most can be deduced from the GUI Tab names

e.g.

NSFW Firewall->Network Services Filter

PControls AiProtection Parental Controls

EDIT: Included nat chains as @ColinTaylor has pointed that query https://www.snbforums.com/threads/default-nat-table.37062/ here for answers

What are the following chains for ?
: DNSFILTER - [0:0]
: PCREDIRECT - [0:0]
:VSERVER - [0:0]

DNSFILTER AiProtection->DNS filter

PCREDIRECT AiProtection->Parental Controls Time Scheduling (Basically redirects devices to a web page stating Internet access is blocked?)
PCREDIRECT Network Map->Client status (Click on icon and panel opens to show Sliders to turn 'Block Internet access' ON/OFF)

VSERVER WAN->Virtual Server / Port Forwarding

etc.

and usually modify the rule entries, but some are only 'activated/managed' by Slider buttons or Radio buttons on the GUI

e.g. Radio Button

SECURITY Firewall->General X Enable DoS protection

 

[ColinTaylor]

FUPNP is created by miniupnpd but as far as I know it is not used (VUPNP in the NAT table is though).

 

[Denna]

Thank you Martineau and ColinTaylor for the clarifications.

 

[Denna]

The link below appears to refer to adding user customizations.

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts​

1) Using WINSCP, do you create the filenames with no extensions ?

2) Are the scripts added here run after those in the read only firmware ?

3) Is there any way to edit the scripts that come with the firmware ?

4) Where are the scripts in the firmware located ?

 

[RMerlin]

1) Correct, filenames must be written exactly as specified on the documentation.
2) See the Wiki to understand when each specific script is executed, it depends.
3) There's no scripts in the firmware itself, unless you consider the firmware update script and the USB modems-related scripts, which are all in flash, and therefore read-only. Everything is in binary form.

 

[Denna]

To modify or remove the default iptables rules, that would have to happen after they run correct ?

You can't modify the source of those rules before they run ?

 

[RMerlin]

To modify or remove the default iptables rules, that would have to happen after they run correct ?

You can't modify the source of those rules before they run ?

Correct. That's what the nat-start and firewall-start scripts are for: to manipulate the entries as they have just been added to iptables.

 

[Denna]

Below are default rules in the filter table.

Do any of these rules have to do with Android USB tethering ?

-A INPUT -i usb0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A FORWARD -i usb0 -j SECURITY
-A FORWARD -i usb0 -m state --state INVALID -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN​

 

[RMerlin]

Below are default rules in the filter table.

Do any of these rules have to do with Android USB tethering ?

-A INPUT -i usb0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A FORWARD -i usb0 -j SECURITY
-A FORWARD -i usb0 -m state --state INVALID -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN​

Those have nothing to do specifically with tethering, they are WAN filtering rules put in place because you have the router configured to drop ping packets from WAN, and because you have DoS protection enabled.

You need to read up on iptables if you are going to mess with it - the content of these rules as to what they do is pretty self-explanatory.

 

[Denna]

Does the use of the USB0 interface in iptables rules have to do with sharing a USB device on the network (i.e., NAS) ?

 

[RMerlin]

Does the use of the USB0 interface in iptables rules have to do with sharing a USB device on the network (i.e., NAS) ?

No, it means you have configured a 3G/4G USB modem as WAN instead of using the Ethernet WAN port.