Request for Help: Introduction to Firewall (iptables) config to increase 32 rule limit

[kadlugan]

Hi All,

RE: Could someone please explain the specific steps, and what code i need to add/change in asuswrt-merlin, in order to use iptables or another approach to increase my stock firewall 32 rule limit.

I am a newbie regarding the use of asuswrt-merlin. I have the stock asuswrt firmware (RT-AC68U) currently but i am considering using merlin to provide better firewall configuration. This is because i have hit the 32 inbound whitelist limit in the asuswrt > network services filter configs. I have my firewall set to whitelist things like (eg http, tcp, ssl, sftp, facetime, git, etc, etc ). I assume i am doing the right thing by adding them in as a whitelist.

my current whitelist rules in the network services filter look like the following:
Source IP - Port Range - Destination IP - Port Range - Protocol
blank - blank - blank - 80 - TCP
blank - blank - blank - 443 - TCP
blank - blank - blank - 2268:2297 - UDP (e.g. madeup)
etc

However i haven't yet been able to find a really clear and simple explanation of how to extend the existing firewall limit in these forums or elsewhere using asuswrt-merlin. I keep getting to explanations that are too complex or specific around certain issues for what i need.

From my understanding i can configure more rules if i install asuswrt-merlin and get my hands dirty with iptables config.

I have read this page https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips What else i have tried is looking at the source code on github, and the help pages there and elsewhere, i have looked at using fwbuilder to make rules, i have tried to understand Iptables but not sure where they need to be configured etc.

What would be great if someone can explain:

1. The steps to increase the 32 rule limit (using iptables or another approach) and a full example of what files i need to add/change in asuswrt-merlin
2. If possible some suggestions of good tutorial resources to improve my firewall security using asuswrt-merlin.

I don't mind if you point me to existing conversations or web content to explain how to do this. I don't mind if you suggest a method to install a plugin to help, or provide an example file i need to modify.

Thanks in advance.

 

[JDB]

Why are you feeling the need to whitelist things specifically?
The normal firewall setup isn't going to let anything in by default anyway unless your LAN devices have initiated a connection thanks to NAT.


Sent from my iPhone using Tapatalk

 

[Andyf66]

As the other poster says, what is it you are actually trying to achieve by whitelisting all of these services?

- to allow them to traverse from wan to Lan? Use a vpn, or port forwarding?
- to allow them Lan to wan? Not needed, handled by Nat
- you want to prevent *all* outbound traffic apart from that which you've white listed? Probably not as you mention inbound.

 

[ColinTaylor]

I would agree with what @JDB and @Andyf66 have said in that if you really need to whitelist every possible service then perhaps you need to rethink your approach.

That said, if you do need to do it that way then the simple answer in to install Merlin's firmware for two reasons. 1) Stock firmware won't allow you to create custom iptables rules, and 2) Merlin's firmware allows you to have 128 firewall rules instead of 32.

 

[kadlugan]

Thanks for the replies @Andyf66 and @JDB and @ColinTaylor .

I now realise what i was doing wrong. Thanks.

The NSF is for lan to wan traffic. Makes sense. I used to have a billion router where you could specify ports to enable for wan to lan and i just thought this was the same.

So how does the default installed firewall work. You mentioned that the firewall wont let anything in unless devices have initiated thanks to NAT.

My thinking was I just didn't want all my ports open to just any program. For instance close down telnet in favour of ssh. Or port forward ssh or other services to a different port so its not listening on a standard port. Are you saying NAT does this?

Also is there a way to make my router even more secure against intrusion (eg malware etc) or is the default firewall pretty good.

If you can post any links for further reading to help me understand this that would be great.

 

[ColinTaylor]

All incoming traffic will be dropped by default unless the port has been specifically opened by the application (or forwarded in the router's webUI). This is true for both the router and the LAN clients. For LAN clients NAT provides an additional layer of security because any unsolicited incoming traffic cannot be forwarded because the router has no way of knowing which client to send it to.