Using fqdn instead of IP in Asus-Merlin firewall rules

[ioan]

Hi everybody,

I'd like to use fqdn instead of IPs in some specific firewall rules. I found the link below showing how to do that on a generic Linux box. How about applying this on an Asus-Merlin box? Probably by using the firewall-start and nat-start scripts, but how exactly would we do that?
https://superuser.com/questions/79855/how-to-use-fqdn-in-firewall-rules-for-gnu-linux

Thank you,
ioan

 

[ColinTaylor]

What approach you take would depend on what exactly you're wanting to do.

As you've seen, iptables (which is what the router uses) only processes IP addresses. You can use FQDN when you're generating the rules (assuming name resolution is working at that time), but the names are just translated to fixed IP addresses. If the IP address associated with the FQDN changes it won't be reflected in the firewall rules.

It's a similar problem to that of DDNS servers. That's why the router periodically verifies/registers its IP address with the DDNS provider.

 

[ioan]

Hi,

Thank you for your reply. I'd need to do nslookup on the fqdn, detect change, remove old firewall rule (with old IP), generate firewall rule with new IP. And all this should be done under cron every 10 min.

 

[ColinTaylor]

It should be fairly straight forward to do that, although the code might not be that elegant. The problem is making it robust enough to not mess up in unforeseen circumstances.

Instead of writing a clever script, how about this approach:

Create a user chain in iptables that hooks into the existing rules at an appropriate point (as determined by your particular requirements). Then, every time the cron job runs you just delete the entire user chain (and probably the hook as well) and recreate them from scratch. You do this whether the FQDN has changed or not.

That way you only have one script (no separate code for startup or initialisation). You don't have to worry about trying to detect whether the IP has changed since it last ran. You don't have worry about matching the existing rule (which can be problematic). And you don't have to worry about inserting your rule at a particular line number.

Simples.

 

[ioan]

It sounds good, but would this break all active connections at the time of recreation?

 

[ColinTaylor]

It's something I considered but without knowing the specifics of the rule you are talking about and what it's for it's hard to say.

If you could insert the iptables "hook" that I referred to at some point after the existing "--state RELATED,ESTABLISHED" rule then it would probably be OK.

 

[ioan]

How about adapting the script below written for ufw to Asus Merlin? It is from the link I gave above.

#!/bin/bash

target_hosts="dynhost.does-not-exist.com another-host.does-not-exist.com"

if [ -f "/root/dynblock-curr" ]; then
mv /root/dynblock-curr /root/dynblock-prev
fi

touch /root/dynblock-curr

if [ -f "/root/dynblock-prev" ]; then
# Remove previously set firewall allows
for prev_ip in `cat /root/dynblock-prev`; do
ufw delete allow from $prev_ip to any app OpenSSH > /dev/null
done
fi

for target_host in $target_hosts; do
# Look up IP per host
# echo "Looking up IP for host:" $target_host
target_ip=`host $target_host | cut -d ' ' -f 4`
if [ $? -eq 0 ]; then
echo $target_ip >> /root/dynblock-curr
ufw allow from $target_ip to any app OpenSSH > /dev/null
fi
done

 

[ColinTaylor]

Yes I saw that. It's what I meant when I said the code might not be elegant (but that's subjective).

Something similar would probably work if tailored to your needs. But again, without knowing the specifics of what you're doing it's difficult to progress it any further.

 

[ioan]

Let's say there are five incoming ssh connections from the internet going through the Asus Merlin into my LAN. The sources themselves are behind Asus routers with DDNS client enabled, so that the fqdn will be updated with current IP.

I want to update my firewall rules for these five sources, but without unnecessarily disrupting other active connections. Actually, preferably, I'd recreate the rule only for the source whose IP has changed, so that other ssh sessions would not be affected. My knowledge of iptables is quite limited, please give details about hooking a user chain satisfying the requirements.

Besides the script, other steps are needed, such as storing the script and running it under cron. I'm interested in putting together all the steps.

 

[ColinTaylor]

By "hook" I mean inserting an iptables rule into the existing rules at a particular point, and if it matches the traffic you're interested in jumps to your user chain.

Here is an example that creates a user chain and inserts a hook to it as rule 3 of the FORWARD chain.

iptables -N MYCHAIN
iptables -A MYCHAIN -j LOG --log-prefix "MYCHAIN "

iptables -I FORWARD 3 -i eth0 -p tcp -m tcp --dport 22 -j MYCHAIN

Here's a starting point on the wiki about user scripts and cron (hint: use cru).

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts
https://github.com/RMerl/asuswrt-merlin/wiki/Scheduled-tasks-(cron-jobs)

 

[ioan]

Many thanks for all the advice,
ioan

 

[ColinTaylor]

Here's a rough script I knocked up that might help you get started.

The idea is that you setup port forwarding for SSH from all sources in the router's web interface, and then use iptables to filter out the ones you don't want to let through.

#!/bin/sh

logger -t $(basename $0) "Filtering SSH access"

# Remove the existing filter (if it exists)
iptables -D FORWARD -i eth0 -p tcp -m tcp --dport 22 -j filterSSH 2>/dev/null
iptables -F filterSSH 2>/dev/null
iptables -X filterSSH 2>/dev/null

# Hook into the FORWARD chain
iptables -N filterSSH
iptables -I FORWARD -i eth0 -p tcp -m tcp --dport 22 -j filterSSH

# (Re-)create the filter
iptables -A filterSSH -s myfqdn1 -j RETURN
iptables -A filterSSH -s myfqdn2 -j RETURN
iptables -A filterSSH -s myfqdn3 -j RETURN
iptables -A filterSSH -s myfqdn4 -j RETURN
iptables -A filterSSH -s myfqdn5 -j RETURN
iptables -A filterSSH -j DROP

You'll have to change myfqdn1-5 to be your FQDN's.