1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

firewall not firewalling

Discussion in 'Tomato Firmware' started by foobar_foo, Oct 14, 2009.

  1. foobar_foo

    foobar_foo Addicted to LI Member

    Hi all,

    New to tomato and having some issues. I kinda though that the router would block all WAN->LAN traffic other than established/related stuff (unless the server was in the DMZ) but it seems not to be the case.

    If I drop the windows firewall on one of my boxes and nmap it from teh internets it's bent right over with it's trousers down.

    I have a /28 and not using nat, any help on how to resolve this would be much appreciated.
     
  2. rhester72

    rhester72 Network Guru Member

    You are certain that DMZ is *not* enabled? I've never seen this. You are right, by default (unless you enable UPNP/NAT-PMP), *no* ports are forwarded or accepted from the WAN.

    Rodney
     
  3. mstombs

    mstombs Network Guru Member

    In "router" and not "gateway" mode the iptables configured "nat packet filter firewall" is not active - that has been been reported elsewhere, lots of other core functionality is also disabled.

    I'm sure you can add custom rules to the firewall script.
     
  4. foobar_foo

    foobar_foo Addicted to LI Member

    Yep, thats what's happening. Just can't seem to get these firewall rules right though.

    I've added a rule that allows established/related, then a rule that drops anything coming in on ppp0 destined for my /28 but still my nmap shows open ports on boxes behind the router.

    Basically, I've added this via the web interface:

    /usr/sbin/iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    /usr/sbin/iptables -I INPUT -i ppp0 -d <My/28> -j DROP

    Clearly these rules are incorrect. Any suggestions?
     
  5. Toastman

    Toastman Super Moderator Staff Member Member

    I think that the last line will be inserted above the first if pasted into firewall box - as when it is read -I inserts each line at the top ... is that the problem?
     
  6. foobar_foo

    foobar_foo Addicted to LI Member

    Hmm, possibly. I'm not in a position to reverse them at the moment but I will do later.

    Having said that... wouldn't this mean that the very first rule in the input chain would be to deny everything coming in on ppp0 so I'd have no traffic able to get in at all?
     
  7. ntest7

    ntest7 Network Guru Member

    Reverse the order of these two lines.
     
  8. foobar_foo

    foobar_foo Addicted to LI Member

    Ok, I've done this but still I seem to be open to the world :(
     
  9. foobar_foo

    foobar_foo Addicted to LI Member

    This just doesnt make sense :confused:

    iptables -L shows:

    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    DROP 0 -- anywhere <My/28>

    Which im pretty sure is exactly what I need but I'ts just not being applied.

    There are a few other rules in the INPUT chain that follow those but they should never be reached.

    Am I just missing something fundamental here?
     
  10. mstombs

    mstombs Network Guru Member

    INPUT is only for connections to the router, you need to use FORWARD if you are protecting your machines on the LANside with Internet IP addresses. I don't know how much connection tracking works when you are not using NAT. If you want to firewall everything one solution is 1-to-1 NAT, which would associate one external IP addresses with 1 internal IP address - but I guess would need a lot of custom commands in nat PREROUTING and POSTROUTING.
     
  11. foobar_foo

    foobar_foo Addicted to LI Member

    Bingo! That's exactly what was wrong. Thanks very much :)
     

Share This Page