What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Question about iptables on RT-AC66U (Merlin 380.57)

S

smcgrath12

Occasional Visitor
Hi, I am trying to understand iptables and I did a dump of the current rules (with no holes through the firewall except for SSH & Router access through the WAN).

One of the lines that I see from my iptables -L command is:

"-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 80 -j ACCEPT".

I understand that this rule targets the FILTER table's INPUT chain. I assume that this rule allows default HTTP access over port 80 to my router's web interface (IP is 192.168.1.1). I did have couple of questions for this rule.

1. Why is it necessary to put the "-d" and "--dport" switches in this rule? From my reading, doesn't the INPUT chain gets invoked ONLY when the target is the local host (in this case, 192.168.1.1)? Wouldn't this rule/chain be invoked automatically because the rule targets the INPUT chain?

2. Shouldn't this rule be locked down with additional "-i br0" in the rule? Meaning, only accept port 80 connections if they are coming from the "protected network"?

Thank you for your time. I have been scouring the web for tutorials/papers on iptables and I have just enough knowledge to be dangerous....
 
1. "Wouldn't this rule/chain be invoked automatically because the rule targets the INPUT chain?"

No. Have a look at the last rule in the INPUT chain, it DROPs everything. So unless there is an earlier rule that explicitly allows traffic it will be dropped.

2. "Shouldn't this rule be locked down with additional "-i br0" in the rule? Meaning, only accept port 80 connections if they are coming from the "protected network"?"

Normally it is, but you have stated that you have allowed access from the WAN: "except for SSH & Router access through the WAN". So it is doing what you asked it to.
 
ColinTaylor said:
1. "Wouldn't this rule/chain be invoked automatically because the rule targets the INPUT chain?"

No. Have a look at the last rule in the INPUT chain, it DROPs everything. So unless there is an earlier rule that explicitly allows traffic it will be dropped.
Click to expand...

Ok, I saw the last rule in the INPUT chain, it is a DROP and the netfilter will drop all packets that finally hit this rule. But, I am still confused about the "-d" switch, why is it necessary to put it in the INPUT rule above? Does the "-d 192.168.1.1" mean that only traffic that accesses the router WITH THIS IP? So, even though the external WAN ip also points to the router, will it reject that traffic as it has the external ip in its destination? Because the router is multi-homed, it becomes necessary to put the "-d" switch? But, for a plain LAN computer on my protected network with only one IP (with no routing functionality), the "-d" is not necessary? Am I understanding this correctly?

ColinTaylor said:
2. "Shouldn't this rule be locked down with additional "-i br0" in the rule? Meaning, only accept port 80 connections if they are coming from the "protected network"?"

Normally it is, but you have stated that you have allowed access from the WAN: "except for SSH & Router access through the WAN". So it is doing what you asked it to.
Click to expand...

I forgot to mention that my external WAN access to my router (only over HTTP as it stands now) is over port 999 and not port 80. But I think I understand it now. I see the VSERVER rule in the NAT table that does the DNAT from [external IP]/Port 999 to 192.168.1.1/Port 80. So, this DNAT translation piggyback's over the above INPUT rule to funnel both internal and external traffic using only one rule.
 
@smcgrath12

It's a bit difficult to know absolutely from just one line :rolleyes: but as far as I can tell...

Yes I think you are correct. In this instance the "-d 192.168.1.1" is probably superfluous. Bear in mind that these rules are dynamically generated depending on a multitude of different possible configurations (VPNs, PPPoE, Dual WAN, etc). When faced with such a programming challenge it is usually good practice to be as specific as possible with these things, especially where security is concerned.


"So, even though the external WAN ip also points to the router, will it reject that traffic as it has the external ip in its destination?"

Not exactly. It's rejected just because there is no matching rule to allow it. LAN traffic is allowed because there is a rule the allows everything from interface br0.
 
Thank you for the explanation. My understanding is more clearer now. I do have one more question on 3 more rules in the iptables. Not sure if I need to open another thread, so posting as a followup.

In MANGLE/PREROUTING:

-A PREROUTING -d WAN_IP -i ! eth0 -j MARK --set-mark 0xb400 (R1)

In NAT/POSTROUTING (in correct chain sequence):

-A POSTROUTING -s ! WAN_IP -o eth0 -j MASQUERADE (R2)
-A POSTROUTING -m mark --mark 0xb400 -j MASQUERADE (R3)

So, R1 marks all traffic coming from LAN side destined for WAN.
R2 will do a DNAT on all traffic coming from LAN destined for WAN.
R3 will do a DNAT on all traffic that was marked as per R1.

What is the purpose of R1 & R3? It seems that R2 is sufficient for masquerading purpose. Is there a special case that requires R1 & R3 in the rules and not handled by R2?

Thanks.
 
Sorry, I've never really got my head around the mark/masquerade stuff. I think it's something to do with the NAT loopback.
 
smcgrath12 said:
Thank you for the explanation. My understanding is more clearer now. I do have one more question on 3 more rules in the iptables. Not sure if I need to open another thread, so posting as a followup.

In MANGLE/PREROUTING:

-A PREROUTING -d WAN_IP -i ! eth0 -j MARK --set-mark 0xb400 (R1)

In NAT/POSTROUTING (in correct chain sequence):

-A POSTROUTING -s ! WAN_IP -o eth0 -j MASQUERADE (R2)
-A POSTROUTING -m mark --mark 0xb400 -j MASQUERADE (R3)

So, R1 marks all traffic coming from LAN side destined for WAN.
R2 will do a DNAT on all traffic coming from LAN destined for WAN.
R3 will do a DNAT on all traffic that was marked as per R1.

What is the purpose of R1 & R3? It seems that R2 is sufficient for masquerading purpose. Is there a special case that requires R1 & R3 in the rules and not handled by R2?

Thanks.
Click to expand...

It's the NAT loopback. All traffic destined to your WAN IP but not coming from the WAN gets marked.

Once the traffic is done going through the rest of iptables, it gets masqueraded.
 
You must log in or register to reply here.

Similar threads

J
RT-AC88U drops the OpenVPN inbound ACCEPT iptables rule after a time
Replies
14
Views
361
JDA
J
r000t
Hardcoded Google DNS IPTABLES rule
Replies
6
Views
618
r000t
r000t
GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
594
GShlomi
GShlomi
X
[ASUSWRT 5.0] VLAN Support
Replies
0
Views
864
xTerminator
X
H
Solved Beginners firewall question.
Replies
6
Views
1K
Henk-J
H
Similar threads
Thread starter Title Forum Replies Date
B 3006 firmware Aimesh question Asuswrt-Merlin 4
bassoonsun Killswitch 3004 Question Asuswrt-Merlin 0
A Question about RT-AX58U firmware and Aimesh Asuswrt-Merlin 6
W3Wilkes RT-AX86U IoT (guest network) Intranet Question Asuswrt-Merlin 15
CaptnDanLKW Not Another One! But yes, AX or BE Question Asuswrt-Merlin 5
adri Firewall, Port Forwarding, and DoS Question Asuswrt-Merlin 8
P Basic question on usericon files Asuswrt-Merlin 0
E Question about DDNS forced update interval RT-AX86U Asuswrt-Merlin 3
octopus Wireguard question Asuswrt-Merlin 6
O service-event-end question Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 677 (members: 26, guests: 651)
Back
Top