1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Firewall scripts in Thibor

Discussion in 'HyperWRT Firmware' started by Moosh, Apr 19, 2007.

  1. Moosh

    Moosh Network Guru Member


    I am just trying my first iptables scripts and loaded one based on James Stephens simple ruleset at


    I left out

    iptables -F
    iptables -X
    iptables -Z

    and # Load appropriate modules.
    modprobe ip_tables
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp

    and had to leave out, cause it would not work:

    # Make sure that IP forwarding is turned off. We only want this for a #multi-homed host.
    /bin/echo "0" > /proc/sys/net/ipv4/ip_forward

    I must have default DROP as I recently found Spytech and realtime spy on my PC, complete with keylogs and screenshots, so I am paranoid, to say the least.
    Can I simply add the ipt rules to the script and then be able to flush the original ipt rules? Main fear is locking myself out once I commit if I edit the ipt or firewall.sh file.

    Here's the root/usr/tmp/ipt

    :OUTPUT ACCEPT [0:0]
    -I PREROUTING -i br0 -j MARK --set-mark 256
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -i vlan1 -d -j DROP
    -A PREROUTING -p icmp -d x.x.x.x-j DNAT --to-destination
    -A PREROUTING -d x.x.x.x-j TRIGGER --trigger-type dnat
    -A POSTROUTING -o br0 -s -d -j MASQUERADE
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :logaccept - [0:0]
    :logdrop - [0:0]
    :logreject - [0:0]
    :trigger_out - [0:0]
    :lan2wan - [0:0]
    :grp_1 - [0:0]
    :advgrp_1 - [0:0]
    :grp_2 - [0:0]
    :advgrp_2 - [0:0]
    :grp_3 - [0:0]
    :advgrp_3 - [0:0]
    :grp_4 - [0:0]
    :advgrp_4 - [0:0]
    :grp_5 - [0:0]
    :advgrp_5 - [0:0]
    :grp_6 - [0:0]
    :advgrp_6 - [0:0]
    :grp_7 - [0:0]
    :advgrp_7 - [0:0]
    :grp_8 - [0:0]
    :advgrp_8 - [0:0]
    :grp_9 - [0:0]
    :advgrp_9 - [0:0]
    :grp_10 - [0:0]
    :advgrp_10 - [0:0]
    :grp_11 - [0:0]
    :advgrp_11 - [0:0]
    :grp_12 - [0:0]
    :advgrp_12 - [0:0]
    :grp_13 - [0:0]
    :advgrp_13 - [0:0]
    :grp_14 - [0:0]
    :advgrp_14 - [0:0]
    :grp_15 - [0:0]
    :advgrp_15 - [0:0]
    :grp_16 - [0:0]
    :advgrp_16 - [0:0]
    :grp_17 - [0:0]
    :advgrp_17 - [0:0]
    :grp_18 - [0:0]
    :advgrp_18 - [0:0]
    :grp_19 - [0:0]
    :advgrp_19 - [0:0]
    :grp_20 - [0:0]
    :advgrp_20 - [0:0]
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -i lo -m state --state NEW -j ACCEPT
    -A INPUT -i br0 -m state --state NEW -j ACCEPT
    -A INPUT -p icmp -j logdrop
    -A INPUT -p igmp -j logdrop
    -A INPUT -j logdrop
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1461: -j TCPMSS --set-mss 1460
    -A FORWARD -i vlan1 -o br0 -j TRIGGER --trigger-type in
    -A FORWARD -i br0 -j trigger_out
    -A FORWARD -i br0 -j lan2wan
    -A FORWARD -i br0 -m state --state NEW -j logaccept
    -A FORWARD -j logdrop
    -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logaccept -j ACCEPT
    -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logdrop -j DROP
    -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logreject -p tcp -m tcp -j REJECT --reject-with tcp-reset

    How do they conflict with script? I also noticed the same files(root/usr/tmp) under root/tmp/....does it matter which one I edit with SCP(the firewall.sh that is) because there seems to be a maximum number of lines in the web firewall script page.

    Oh, the edits to the ruleset:

    changed the interface from eth0 to vlan1
    and added some stuff for NNTP and SSH and limiting SMTP(only I can till connect with another NNTP server). Basically I added:

    ptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -o br0 -p udp -d --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp -s --dport 22 -m state --state NEW -j logaccept
    iptables -A INPUT -p udp -s --sport 67 -j logaccept
    iptables -A OUTPUT -p udp -d --dport 67 --sport 68 -j logaccept
    iptables -A OUTPUT -o vlan1 -p udp -s 212.*.*.*--dport 123 -j logaccept
    iptables -A OUTPUT -o vlan1 -p tcp --dport 25 --dst 195.*.*.0/16 -m state --state NEW,ESTABLISHED -j logaccept
    iptables -A INPUT -i vlan1 -p tcp --sport 110 -m state --state ESTABLISHED -j logaccept
    iptables -A OUTPUT -o vlan1 -p tcp --dport 110 --dst 195.129.*0/16 -m state --state NEW,ESTABLISHED -j logaccept
    iptables -A INPUT -i vlan1 -p tcp --sport 119 -m state --state ESTABLISHED -j logaccept
    iptables -A OUTPUT -o vlan1 -p tcp --dport 119 --dst 140.*.*.*/16 -m state --state NEW,ESTABLISHED -j logaccept
    iptables -A INPUT -i vlan1 -p tcp --sport 119 -j logdrop
    iptables -A OUTPUT -o vlan1 -p tcp --dport 119 -j logdrop is my modem, router is modem passes the wan ip to the WRT. Logging is mainly for debugging.
    Lot of Qs, so if someone can point me in the direction of where I can learn from scratch, I'd be grateful. Just started to read Andreasson, but that's a lot to get through.


Share This Page