[SOLVED] Doubt about custom iptables script

[nikkoaki]

Greetings,

My problem: i have a chromecast and recently some people found a way to abuse them since they open several ports to the outside. Google's answer to that was "the chromecast is working correctly, the problem is that your router is misconfigured, you need to disable upnp and the problem will be fixed"
Since i don't want to create several dozen of port-forwarding rules to all my computers and devices in my network, disabling upnp is out of the question (i'm not saying upnp is safe, i'm saying that asking people who know nothing about computers, to disable that feature to fix a problem that's on google's side, will cause way more headaches, since they don't inform them that if they disable it, they will need to manually open the ports themselves) .. and since i (pretty much) trust my devices and the ports they open, it's easier to just create some rules on the router's firewall to block the ports chromecast use (8008, 8009 and 8443).

I made the script and i confirmed that it is running. My question is: is it possible to make the rule so that it only affects a specific internal ip (chromecast's ip), so if in the future if need to use those ports with another device, they will work without the need of me deleting the rule?

What i have now is:

#!/bin/sh

logger "Regra iptables Block Chromecast"
touch /tmp/000firewall-start
iptables -I FORWARD -p tcp --dport 8008 -j DROP
iptables -I FORWARD -p udp --dport 8008 -j DROP
iptables -I FORWARD -p tcp --dport 8009 -j DROP
iptables -I FORWARD -p udp --dport 8009 -j DROP
iptables -I FORWARD -p tcp --dport 8443 -j DROP
iptables -I FORWARD -p udp --dport 8443 -j DROP

Can i use "iptables -I FORWARD -p tcp --dport 8008 -d 192.168.2.105 -j DROP" ? Does the destination IP in this line work the way i ask? I know a certain port can only be forwardeded to one ip address at the same time. But with the -d flag, can i for example run a program in my computer that uses the port 8008 and it will actually work because it has a different ip from the chromecast?

Thanks in advance

 

[RMerlin]

I have never seen any UPnP port forwards coming from my Shield TV (with built-in Chromecast support). If you are positive they are done through UPnP, you could set the Chromecast to a static DHCP lease, then configure miniupnpd to reject UPnP requests coming from that IP.

Make a copy of /the etc/upnp/config file to /jffs/configs/ . Enable Custom script support under System -> Administration.

Locate the first line in that file that contains an allow statement, and just before that insert:

deny 0-65535 192.168.99.99 0-65535

(replace 192.168.99.99 with the Chromecast's IP).

Then restart the service:

service restart_upnp

 

[nikkoaki]

If you are positive they are done through UPnP

I haven't tried it myself, but thousands of chromecasts were hacked a couple of months ago and the hacker specifically said that they are opening those ports to the public with upnp, google's official statement advised people to turn off upnp.
Anyway, i didn't know you could actually deny requests on miniupnp from a specific ip. Thanks a lot.

 

[nikkoaki]

Ok i seem to have another problem now.
Everytime i restart miniupnp, the config file seems to revert to the default one.
I have custom scripts on. I made a copy of /etc/upnp/config to /jffs/configs/
Used nano to edit the file -> saved it -> opened it again just to be sure it saved (it did) -> restarted miniupnp -> opened the config file again and the line i added is missing

This is how it looks now:

deny 1588 0.0.0.0/0 0-65535
deny 1195 0.0.0.0/0 0-65535
deny 1195 0.0.0.0/0 0-65535
allow 1-65535 192.168.2.1/255.255.255.0 1024-65535
min_lifetime=120
max_lifetime=86400

deny 0-65535 0.0.0.0/0 0-65535

Not only is my line missing but, is the "deny 0-65535 0.0.0.0/0 0-65535" supposed to be there? I don't remember if it was in the first place, but doesn't that line deny every port to all ip's?

EDIT:

but doesn't that line deny every port to all ip's?

Forget about this, i guess they are in order of importance and the allow line has privilege over.

 

[ColinTaylor]

I take it you're referring to this (and the linked reddit thread).

Despite what people were speculating at the time (not helped by Google's statements) it appears the Chromecast doesn't use UPnP to forward any ports. From that we can only assume that the ports in question have been forwarded by some other device. Other people were vaguely blaming a "poor implementation of UPnP" on some routers.

I suspect that merely by enabling UPnP Secure Mode on the router and having up to date anti-virus on your PC's you can mitigate this.

 

[nikkoaki]

ColinTaylor, thank you for the explanation. I did indeed used Shield's Up port scanner with the chromecast on and they came out "stealth". However, since this is my parents house and i'm not always here, i will feel safer by actually blocking it on miniupnp like RMerlin mentioned. It won't do any harm and i'll sleep better at night.
Anyway, it seems that every time i restart miniupnp, the config file returns to default and the line i added gets deleted. I tried stopping the service first and then make the changes but it didn't help.

 

[ColinTaylor]

I have custom scripts on. I made a copy of /etc/upnp/config to /jffs/configs/

The copied file needs to be renamed upnp instead of config.

 

[nikkoaki]

The copied file needs to be renamed upnp instead of config.

Well dah, i'm stupid. When i read "make a copy", i thought it was in case something went wrong, i had the original config file, so i could put it back. I have been trying to edit /etc/upnp/config all this time
It's working now, thanks a bunch.

 

[RMerlin]

Any port forwarded through UPnP will appear on the System Log -> Port Forwarding page. If the application supports it (through NAT-PMP), you can even get the name of the application creating it.

 

[nikkoaki]

Any port forwarded through UPnP will appear on the System Log -> Port Forwarding page. If the application supports it (through NAT-PMP), you can even get the name of the application creating it.

Good tip, i actually never gave much attention to the other tabs, only the general log. Thanks.