Firewall on Asus RT-N66U

[Sebchr]

Hello,

My server Web was victim of a SYN flood attack. I wonder that the firewall of Asus RT-N66U filters this attack. But not.
So I examined iptables in Router :

Chain FORWARD (policy ACCEPT 2 packets, 125 bytes) pkts bytes target prot opt in out source destination
74 14827 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0
DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT

"eth0 est WAN and br0 is local netwok.

Because policy is "ACCEPT" very few packets are dropped. And SYN flood is not rejected.

What do think about Asus RT-n66u firewall ? Why policy is not set to "DROP" ? Is it the same configuration on your router ?

Thanks

 

[RMerlin]

Hello,

My server Web was victim of a SYN flood attack. I wonder that the firewall of Asus RT-N66U filters this attack. But not.
So I examined iptables in Router :

Chain FORWARD (policy ACCEPT 2 packets, 125 bytes) pkts bytes target prot opt in out source destination
74 14827 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0
DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT

"eth0 est WAN and br0 is local netwok.

Because policy is "ACCEPT" very few packets are dropped. And SYN flood is not rejected.

What do think about Asus RT-n66u firewall ? Why policy is not set to "DROP" ? Is it the same configuration on your router ?

Thanks

Very few packets will make it there (if any) due to the previous rules.

This is something I did change in my own firmware, where the default policy for the FORWARD chain is "DROP". It required a few additional tweaks to the existing rules if I recall (it's been a long time since I've done this change).

 

[Sebchr]

I setup your custom firmware asuswrt-Merlin. It is a great firmware ! Thank you very much !
I added a iptables rule agains syn flood (I discovered syn flood attack was catch by ctstate ESTABLISHED) :
iptables -F FORWARD 1 -i eth0 -p tcp --syn -m conntrack --ctstate ! NEW -j DROP

Now my router stop syn flood attack.

Thank you very much for your job !