francisport
New Around Here
Hi there!
I want to reinforce the router security (asus rog ax6000) running with asuswrt-merlin and entware installed.
I have some questions for most of them... specially state NEW and bootps/bootpc:
homeadmin@homerouter:/tmp/home/root# iptables -L INPUT | grep ACCEPT
Chain INPUT (policy ACCEPT)
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere homerouter. ctstate DNAT tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT gre -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
My questions:
Does someone know why they are there?
Does state NEW be needed to allow accepting ssh/https ones?
Why bootps/bootpc entries are there?
In case of tunning, do I have to create a script to run at boot?
I have more doubts for the complex iptables I found, but I want to start with the INPUT table first.
MAY THE FORTH BE WITH YOU
I want to reinforce the router security (asus rog ax6000) running with asuswrt-merlin and entware installed.
I have some questions for most of them... specially state NEW and bootps/bootpc:
homeadmin@homerouter:/tmp/home/root# iptables -L INPUT | grep ACCEPT
Chain INPUT (policy ACCEPT)
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere homerouter. ctstate DNAT tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT gre -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
My questions:
Does someone know why they are there?
Does state NEW be needed to allow accepting ssh/https ones?
Why bootps/bootpc entries are there?
In case of tunning, do I have to create a script to run at boot?
I have more doubts for the complex iptables I found, but I want to start with the INPUT table first.
MAY THE FORTH BE WITH YOU
Last edited: