firewall-script problems after upgrading from RT-AC68U_380.58_0 to RT-AC68U_380.63_0

[spikehome]

Hello,

My firewall script is not working any more after upgrading from firmware RT-AC68U_380.58_0.
A while back i had the same problem so i went back to the 380.58_0 firmware but now is this not possible.
I use at my jfss a firewall-start script with the lines:

#!/bin/sh
touch /tmp/@@@services-start
/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 5445 -j ACCEPT
/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 22 -j ACCEPT
/usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 80 -j DNAT --to 172.16.X.X:80
/usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 8080 -j DNAT --to 172.16.X.X:80
/usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 8081 -j DNAT --to 172.16.X.X:80
/usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 5000 -j DNAT --to 172.16.X.X:5000
/usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 5001 -j DNAT --to 172.16.X.X:5001
/usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 6789 -j DNAT --to 172.16.X.X:6789

What is wrong?

 

[spikehome]

In my logs i see the script is running.

The first 2 lines are to access direct my router from outsite specified ip on port 5445 and ssh (22)

/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 5445 -j ACCEPT
/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 22 -j ACCEPT

That are the 2 rules i cannot get to work!

The other rules are working.

 

[RMerlin]

Do you have any error if you run these commands directly over SSH?

 

[spikehome]

Do you have any error if you run these commands directly over SSH?

No errors, but no open ports


changed the other rules also:
Here my firewall-start:

#!/bin/sh
touch /tmp/@@@services-start

#webaccess 5445 router
/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 5445 -j ACCEPT
#/usr/sbin/iptables -A INPUT -s X.X.X.X -i eth0 -p tcp -m state --state NEW -m tcp -d 172.16.X.X --dport 5445 -j ACCEPT
#end webaccess 5445 router

#ssh access router
/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 22 -j ACCEPT
#/usr/sbin/iptables -A INPUT -s X.X.X.X -i eth0 -p tcp -m state --state NEW -m tcp -d 172.16.X.X --dport 22 -j ACCEPT
#end ssh access router

#pvlogger voor portforwarding
#old /usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 8080 -j DNAT --to 172.16.X.X:80
/usr/sbin/iptables -t nat -A PREROUTING -s X.X.X.X -p tcp --dport 8080 -j DNAT --to-destination 172.16.X.X:80
#end pvlogger voor

#pvlogger achter portforwarding
#old /usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 8081 -j DNAT --to 172.16.X.X:80
/usr/sbin/iptables -t nat -A PREROUTING -s X.X.X.X -p tcp --dport 8081 -j DNAT --to-destination 172.16.X.X:80
#end pvlogger achter

#domoticz portforwarding
#old /usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 8082 -j DNAT --to 172.16.X.X:8080
#old /usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 222 -j DNAT --to 172.16.X.X:22
/usr/sbin/iptables -t nat -A PREROUTING -s X.X.X.X -p tcp --dport 8082 -j DNAT --to-destination 172.16.X.X:8080
/usr/sbin/iptables -t nat -A PREROUTING -s X.X.X.X -p tcp --dport 222 -j DNAT --to-destination 172.16.X.X:22
#end domoticz portforwarding

#synology nas portforwarding
#old /usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 80 -j DNAT --to 172.16.X.X:80
#/usr/sbin/iptables -t nat -A PREROUTING -s X.X.X.X -p tcp --dport 80 -j DNAT --to-destination 172.16.X.X:80
#old /usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 5000 -j DNAT --to 172.16.X.X:5000
#/usr/sbin/iptables -t nat -A PREROUTING -s X.X.X.X -p tcp --dport 5000 -j DNAT --to-destination 172.16.X.X:5000
#old /usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 5001 -j DNAT --to 172.16.X.X:5001
#/usr/sbin/iptables -t nat -A PREROUTING -s X.X.X.X -p tcp --dport 5001 -j DNAT --to-destination 172.16.X.X:5001
#old /usr/sbin/iptables -t nat -I VSERVER -p tcp -m tcp -s X.X.X.X --dport 6789 -j DNAT --to 172.16.X.X:6789
/usr/sbin/iptables -t nat -A PREROUTING -s X.X.X.X -p tcp --dport 6789 -j DNAT --to-destination 172.16.X.X:6789
#end synology nas forwarding

 

[RMerlin]

Make sure you use the correct WAN IP, and that you aren't double NATed.

 

[spikehome]

Make sure you use the correct WAN IP, and that you aren't double NATed.

This rules not working.
I tryed both of them placed with a # before to test the other.
Also tested with ssh.
flushed (iptables -F) all the rules and then typed (paste) the rules and look at the rules (iptables -h)
Get no error message and it seems to look good but not working

#webaccess 5445 router
#/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 5445 -j ACCEPT
#/usr/sbin/iptables -A INPUT -s X.X.X.X -i eth0 -p tcp -m state --state NEW -m tcp -d 172.16.X.X --dport 5445 -j ACCEPT
#end webaccess 5445 router

#ssh access router
#/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 22 -j ACCEPT
#/usr/sbin/iptables -A INPUT -s X.X.X.X -i eth0 -p tcp -m state --state NEW -m tcp -d 172.16.X.X --dport 22 -j ACCEPT
#end ssh access router

Both of the access rules wont work tryed it with one port first of course.
The lines are now with a # because they wont work.

 

[RMerlin]

Is the service running on your router or another machine on your LAN? Because the two rules are totally different, one is pointing at a machine on your LAN rather than on the router itself. If that's the case, the rule must go in the FORWARD chain, not in the INPUT chain.

 

[spikehome]

running at my router.
the ssh port and webconfig configured at the other port
the first one was the old one that worked with the old firmware.
the second rule i also tryed now with the new firmware and is also not working.

 

[spikehome]

Realy nobody who use access from a specified ip?
I dont want to open the ports for all the world

 

[john9527]

Your rules are giving universal access to those ports. Change as follows (order matters, don't change it)

#webaccess 5445 router
#/usr/sbin/iptables -I FORWARD -s X.X.X.X -p tcp --destination-port 5445 -j DROP
#/usr/sbin/iptables -I FORWARD -s X.X.X.X -i eth0 -p tcp -m tcp -d 172.16.X.X --dport 5445 -j ACCEPT
#end webaccess 5445 router

#ssh access router
#/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 22 -j DROP
#/usr/sbin/iptables -I INPUT -s X.X.X.X -i eth0 -p tcp -m tcp -d 172.16.X.X --dport 22 -j ACCEPT
#end ssh access router

EDIT: Also took out the state check, since you are inserting at the top of the chain, you need to accept all states.

EDIT2: Changed the rules for port 5445.....it looks like you are going to a device on your network, and not your router.

 

[spikehome]

Your rules are giving universal access to those ports. Change as follows (order matters, don't change it)

#webaccess 5445 router
#/usr/sbin/iptables -I FORWARD -s X.X.X.X -p tcp --destination-port 5445 -j DROP
#/usr/sbin/iptables -I FORWARD -s X.X.X.X -i eth0 -p tcp -m tcp -d 172.16.X.X --dport 5445 -j ACCEPT
#end webaccess 5445 router

#ssh access router
#/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 22 -j DROP
#/usr/sbin/iptables -I INPUT -s X.X.X.X -i eth0 -p tcp -m tcp -d 172.16.X.X --dport 22 -j ACCEPT
#end ssh access router

EDIT: Also took out the state check, since you are inserting at the top of the chain, you need to accept all states.

EDIT2: Changed the rules for port 5445.....it looks like you are going to a device on your network, and not your router.

tnx.
this weekend im not home.
but tomorrow i wil test it.
let u know if it works.

 

[spikehome]

Your rules are giving universal access to those ports. Change as follows (order matters, don't change it)

#webaccess 5445 router
#/usr/sbin/iptables -I FORWARD -s X.X.X.X -p tcp --destination-port 5445 -j DROP
#/usr/sbin/iptables -I FORWARD -s X.X.X.X -i eth0 -p tcp -m tcp -d 172.16.X.X --dport 5445 -j ACCEPT
#end webaccess 5445 router

#ssh access router
#/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 22 -j DROP
#/usr/sbin/iptables -I INPUT -s X.X.X.X -i eth0 -p tcp -m tcp -d 172.16.X.X --dport 22 -j ACCEPT
#end ssh access router

EDIT: Also took out the state check, since you are inserting at the top of the chain, you need to accept all states.

EDIT2: Changed the rules for port 5445.....it looks like you are going to a device on your network, and not your router.

Tested yout changes but not working.

Ok here is what i want:
First the accessport from my asus is 5445 so i want that to access from the internet from a specified adres.
i used before the update the rule:

#webaccess 5445 router
/usr/sbin/iptables -I FORWARD -s X.X.X.X -p tcp --destination-port 5445 -j ALLOW
#end webaccess 5445 router

And after the update is also tryed:

#webaccess 5445 router
/usr/sbin/iptables -I FORWARD -s X.X.X.X -i eth0 -p tcp  -m tcp -d 172.16.X.X --dport 5445 -j ACCEPT
#end webaccess 5445 router

Both wont works same for the ssh port (22)

And tested it with both rules in the order u said.

#webaccess 5445 router
/usr/sbin/iptables -I FORWARD -s X.X.X.X -p tcp --destination-port 5445 -j DROP
/usr/sbin/iptables -I FORWARD -s X.X.X.X -i eth0 -p tcp -m tcp -d 172.16.X.X --dport 5445 -j ACCEPT
#end webaccess 5445 router

The X.X.X.X must be the ip where from i want to access
The 172.16.X.X is internal ip router

 

[john9527]

Those rules should work....
after you set up the rules, try to access those services from your desired allowed address, then append the output of

iptables -nvL

 

[spikehome]

Those rules should work....
after you set up the rules, try to access those services from your desired allowed address, then append the output of

iptables -nvL

Don't understand.
Here the rules i give a example ip with it

#webaccess 5445 router
/usr/sbin/iptables -I FORWARD -s 23.100.2.100 -p tcp --destination-port 5445 -j DROP
/usr/sbin/iptables -I FORWARD -s 23.100.2.100 -i eth0 -p tcp -m tcp -d 172.16.1.1 --dport 5445 -j ACCEPT
#end webaccess 5445 router

The first rule drop acces to the port 5445
The second rule want to give access and is inserted after the first one so the rule would be applied
But why is should enter the first one?
Tryed the rule:
iptables -D INPUT -i eth0 -p tcp -m tcp --dport 5445 -j ACCEPT
so the port must be open for everyone
Still not working
iptables -nvL output:

admin@RT-AC68U:/tmp/home/root# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   24  1216 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5445
    0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
    5   232 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 136K   29M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  349 17854 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
33403 3351K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
 171K   35M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
 6934 2372K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmp !type 8
 3033  150K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

edit:
i test the commands from a ssh session and ik have a session from the specified ip so ik can test it.
if it is not working i delete the rule with the -D option

 

[john9527]

The first rule drop acces to the port 5445
The second rule want to give access and is inserted after the first one so the rule would be applied
But why is should enter the first one?

iptables rules are executed from in order from first to last. When you insert (-I) a rule, it get inserted at the top of the chain. Therefore the rules are actually executed in the reverse order that you enter them. Here's the final script to use, edit the addresses as appropriate (I did see an error I missed in that you don't include the source address in the drop rule).

#!/bin/sh

#webaccess 5445 router
/usr/sbin/iptables -I FORWARD -i eth0 -p tcp --destination-port 5445 -j DROP
/usr/sbin/iptables -I FORWARD -s 23.100.2.100 -i eth0 -d 172.16.0.1 -p tcp -m tcp --dport 5445 -j ACCEPT
#end webaccess 5445 router

#ssh access router
/usr/sbin/iptables -I INPUT -i eth0 -p tcp --destination-port 22 -j DROP
/usr/sbin/iptables -I INPUT -s 23.100.2.100 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
#end ssh access router

This will give an iptables output that looks like this. The first rule ACCEPTs the packets you want, the second rule drops everything else for that port. (iptables -nvL)

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  eth0   *       23.100.2.100         0.0.0.0/0            tcp dpt:22
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
  374 16166 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 536K  697M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 3946  257K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
 ...


Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  eth0   *       23.100.2.100         172.16.0.1           tcp dpt:5445
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5445
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID
 240K   46M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 ...

 

[Martineau]

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

0 0 ACCEPT tcp -- eth0 * 23.100.2.100 0.0.0.0/0 tcp dpt:22
0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

Err I could be wrong, but doesn't the firmware 380.63 GUI option for SSH access (LAN or LAN+WAN) alter the way SSH (dropbear) is started:

LAN only
dropbear -p 22 -i br0

vs

LAN+WAN
dropbear -p 192.168.1.1:22 -a -j -k

So providing dropbear is listening on ALL interfaces, to restrict SSH to only a single IP address do the two rules now work?, or would inserting a single INPUT chain rule such as:

DROP       tcp  --  eth0   *       !23.100.2.100            0.0.0.0/0            tcp dpt:22

grant the required access?

EDIT: Thanks @john9527 for spotting my typo!

 

[spikehome]

iptables rules are executed from in order from first to last. When you insert (-I) a rule, it get inserted at the top of the chain. Therefore the rules are actually executed in the reverse order that you enter them. Here's the final script to use, edit the addresses as appropriate (I did see an error I missed in that you don't include the source address in the drop rule).

#!/bin/sh

#webaccess 5445 router
/usr/sbin/iptables -I FORWARD -i eth0 -p tcp --destination-port 5445 -j DROP
/usr/sbin/iptables -I FORWARD -s 23.100.2.100 -i eth0 -d 172.16.0.1 -p tcp -m tcp --dport 5445 -j ACCEPT
#end webaccess 5445 router

#ssh access router
/usr/sbin/iptables -I INPUT -i eth0 -p tcp --destination-port 22 -j DROP
/usr/sbin/iptables -I INPUT -s 23.100.2.100 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
#end ssh access router

This will give an iptables output that looks like this. The first rule ACCEPTs the packets you want, the second rule drops everything else for that port. (iptables -nvL)

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  eth0   *       23.100.2.100         0.0.0.0/0            tcp dpt:22
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
  374 16166 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 536K  697M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 3946  257K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
 ...


Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  eth0   *       23.100.2.100         172.16.0.1           tcp dpt:5445
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5445
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID
 240K   46M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 ...

Did what you told.
And see the lines in my iptables -nvL output
But these lines where there before to when i added the rules
Also tried not with FORWARD but with INPUT
And tried it with the ssh port.
But could not make a connection from the specified adres

 

[john9527]

Err I could be wrong, but doesn't the firmware 380.63 GUI option for SSH access (LAN or LAN+WAN) alter the way SSH (dropbear) is started:

Good point, I forgot about that change (but I think you have them reversed....the start with br0 is just listening on the internal LAN).

For @spikehome, you need to make sure you have WAN access for SSH enabled on the Administration page. Then you should find the firewall rule that's added by the firmware and delete it, but inserting the rules as shown should supersede that rule.

 

[spikehome]

Good point, I forgot about that change (but I think you have them reversed....the start with br0 is just listening on the internal LAN).

For @spikehome, you need to make sure you have WAN access for SSH enabled on the Administration page. Then you should find the firewall rule that's added by the firmware and delete it, but inserting the rules as shown should supersede that rule.

ok wan ssh port was disabeld like before with the old firmware.
but have to enable wan access for the gui (5445) to.
wil test it tomorrow morning.
gone now and late back home.

 

[spikehome]

So providing dropbear is listening on ALL interfaces, to restrict SSH to only a single IP address do the two rules now work?, or would inserting a single INPUT chain rule such as:

Good point, I forgot about that change (but I think you have them reversed....the start with br0 is just listening on the internal LAN).

For @spikehome, you need to make sure you have WAN access for SSH enabled on the Administration page. Then you should find the firewall rule that's added by the firmware and delete it, but inserting the rules as shown should supersede that rule.

IT WORKS!!!

Tnx to Martineau who saw the first problem.
And tnx to john9527


Right the solutions was indeed to allow ssh acces from lan and wan at the gui.

And give access for the gui (enable web access from wan) at the gui

These two added and whole world could connect to the ports.
So added the following lines in the firewall-start

#webaccess 5445 router
/usr/sbin/iptables -I INPUT -i eth0 -p tcp --destination-port 5445 -j DROP
/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 5445 -j ACCEPT
#end webaccess 5445 router

#ssh access router
/usr/sbin/iptables -I INPUT -i eth0 -p tcp --destination-port 22 -j DROP
/usr/sbin/iptables -I INPUT -s X.X.X.X -p tcp --destination-port 22 -j ACCEPT
#end ssh access router

The X.X.X.X is the outsite ip adres.
iptables with FORWARD wont work so had to be INPUT

Tested it works
Tryed to connect from other ip adresses and no connections
Exactly what i wanted

strange the webgui config overrules the iptables
and no other one has this issue found

Problem solved