1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IP Tables rules

Discussion in 'Tomato Firmware' started by paped, Jun 20, 2013.

  1. paped

    paped LI Guru Member

    Hi,
    I have done quite a bit of searching and trying different Iptables rules but I am struggling to get something working.

    My set-up is that I have a bridged modem on VLAN1 with the subnet and masaquade rules in the WRT54GL so I can access the modem from my network fine via a browser to its web interface (modem 192.168.2.1, WRT54GL [VLAN1] 192.168.2.2). However what I would like to do is allow the modems syslog to be sent to a PC connected to an ethernet port of the WRT (hence eth0/vlan0) which has an IP address of 192.168.1.5, also NTP traffic to keep the clock up to date to go to the internet (ppp0).

    However neither work natively when set-up in the modem so I assume that I need some form of iptables rules to allow these 2 traffic types to get from the modem to where they need to go but I cannot seem to work out what is needed or at least the correct context for the firewall scripts.

    In summary from what I have read I need to:
    1. NTP traffic (port 123) to be allowed from VLAN1 to PPP0 (Internet)
    2. Syslog traffic (port 514) to be allowed from VLAN1 to either VLAN0, ETH0 or the specific PC address of 192.168.1.5 - I think any one of those options would work?
    3. Leave everything else blocked from VLAN1 as it appears to be now - I assume the rules for the above would do this anyway - as it would effectively be DENY all, allow just the rules above by exception?
    Any thoughts or has anybody done something similar and could give me a pointer to what the rules should look like for this?

    Using Shibby 109EN version of Tomato.

    Much appreciated and thanks in advance for any help given...

    Paped
     
  2. Bird333

    Bird333 Network Guru Member

    I'm not sure what device you want contacting the NTP servers. Can you clarify that? Telnet/SSH into the router and try this command
    Code:
    /usr/sbin/iptables -t nat -I PREROUTING -p tcp -i vlan1 -d 192.168.2.0/24 --dport 514 -j DNAT --to-destination 192.168.1.5:514
    I am assuming that this traffic is tcp. It maybe necessary to add a 'forward' rule also, but lets start with this.
     
  3. paped

    paped LI Guru Member

    Thank you for the reply will try it when I get home tonight....

    For clarity both the syslog and the NTP requirement is from the bridged modem, via the WRT54GL and then to 192.168.1.5 for syslog and the internet for NTP (probably 0.uk.pool.ntp.org or similar address).

    Basically I am trying to get remote syslog working as I am having intermittent DSL problems so need to understand what is happening to the modem DSL connection itself rather than the PPPoE which the router sees. But to keep the log files I need to store the syslog inside my network (on the PC running a syslog server) as I often have to reboot the router/modem to restart the DSL link and get access to the modem, so the log files on the modem are lost with the reboot.
    Secondly the time on the modem slips quite a bit, hence the NTP requirement so the time is kept in sync and shown correctly in the syslog files from the modem and allows me to tie the logs together.
     
  4. Bird333

    Bird333 Network Guru Member

    Well for the time issue I would just specify the server you want to use in the router gui and then point your PC to the router for its time. Are you sure the modem is sending log data to 192.168.2.2?
     
  5. Monk E. Boy

    Monk E. Boy Network Guru Member

    I assume you've created static routes on the modem so it knows to send traffic to the WRT54GL instead of its default gateway when attempting to send packets to non-local subnets?
     
  6. paped

    paped LI Guru Member

    Just to clarify the above points and the current installation....

    The current set-up is:
    WRT54-GL with Shibby tomato version 109EN
    The modem is actually a Thomson TG585 router, using a script supplied by my ISP to turn it in to a bridge modem (turns wifi off, set-up ethernet switch port 4 as the bridge port which connects to the WRT54-GL)
    I then have the IP addressing setup as per the original post.

    Regarding the default gateway/routing I have added 2 static routes which has a gateway of the 192.168.2.2 (the VLAN address for the WRT54-GL router), one static route is for the range of 192.168.1.0/24, the second is for any other address and is for 0.0.0.0/0 i.e. a default route. From the testing outlined below this appear to be working as I am get traffic hitting the WRT54-GL and being dropped in the log file.

    One thing I have noticed though since the original post is that there was no DNS set-up on the TG585, as such I have added the server address as both the actual WRT54-GL DNS address which is used for my PC/Table/Mobile phone etc. but for testing I have also included the 192.168.2.2 gateway VLAN1 IP address, incase I need to forward to that and then DNAT it.

    Regarding the suggested firewall line of
    /usr/sbin/iptables -t nat -I PREROUTING -p tcp -i vlan1 -d 192.168.2.0/24 --dport 514 -j DNAT --to-destination 192.168.1.5:514

    I added this but could not get the syslog to work mainly because of the DNS issue above (but did try the IP address directly which also did not work - gets to WRT54-GL and is dropped), as such
    for the DNS elements I added the above line and changed it to port 53 and UDP as this
    allows me to test it easier using a manual DNS lookup command on the TG585. Each time I did a lookup I
    could see that the WRT54-GL was receiving but dropping the traffic for each of the DNS server IP addresses set-up
    within the TG585. I also tried the line with the -d ip address range updated to 192.168.1.0
    and the same happened. On the internet I found a "FORWARD" line for a DNS entry thinking that I may
    need a FORWARD as well and again for each IP address the WRT54-GL see's the traffic from VLAN1 but
    drops it, it correctly see's the source/destination address which matches the rule but
    drops it. The only thing in the log file that looks a little odd is the MAC=
    address as I assume that this should be a standard MAC address from a length
    perspective but it seem to be twice as long as if 2 MAC addresses are being added
    together somehow. hence from what i can see the rule(s) should allow the traffic
    and in theory the above line for syslog and the amended UDP/port 53 version for
    DNS should both work but the traffic is dropped?
     
  7. Bird333

    Bird333 Network Guru Member

    Telnet/SSH in to the router and post the results of these two commands: iptables -L -nv -t nat & iptables -L -nv. Please use the
    Code:
     tags around the output to make it easier to read.
     
  8. paped

    paped LI Guru Member

    Hi, apologies for the delay busy weekend.

    Also needed to get openvpn and my voip working again so I have rebuilt the router as it was before I reset it due to the DSL issue, the downside is that this has changed the IP addressing as follows (I have adjusted the above rules in this post and applied to the router accordingly)

    Code:
    Vlan1 is now 192.168.70.0/30
    LAN (Vlan0) is now 192.168.77.0/26
     
    Individual device IP's are now:
    Modem - 192.168.70.1
    Router (vlan1) - 192.168.70.2
    Router (LAN DNS/DHCP) - 192.168.77.62
    PC (syslog "server") - 192.168.77.50
    The modem then has 2 DNS servers installed, as not sure which it would use of 192.168.70.2 the interface address of vlan1 on the router and 192.168.77.62 the actual DNS server IP address. Using the DNS rule as the test point here as I can easily generate DNS traffic from the modem to see log file output.

    The WRT54GL has the following init/firewall scripts:

    Code:
    Init script:
    sleep 5
    ip addr add 192.168.70.2/30 dev vlan1 brd +
     
    Firewall script:
    /usr/sbin/iptables -I POSTROUTING -t nat -o vlan1 -d 192.168.70.0/30 -j MASQUERADE
    /usr/sbin/iptables -t nat -I PREROUTING -p tcp -i vlan1 -d 192.168.70.0/30 --dport 514 -j DNAT --to-destination 192.168.77.50:514
    /usr/sbin/iptables -t nat -I PREROUTING -p udp -i vlan1 -d 192.168.70.0/30 --dport 53 -j DNAT --to-destination 192.168.77.62:53
    /usr/sbin/iptables -t nat -I PREROUTING -p udp -i vlan1 --dport 123 -j DNAT -o ppp0
    The log files on the router for the DNS traffic shows multiple drops for both DNS addresses (192.168.70.2 & 192.168.77.62) - appears to be a total packet loss as DNS is not working on the modem, with the following errors:

    Code:
    Jun 25 16:53:14 WRT54GL-RT user.warn kernel: DROP IN=vlan1 OUT= MAC=00:16:b6:ed:f3:d0:00:26:44:80:f3:79:08:00:45:00:00:3f SRC=192.168.70.1 DST=192.168.77.62 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=63501 PROTO=UDP SPT=1051 DPT=53 LEN=43
     
    Jun 25 16:53:14 WRT54GL-RT user.warn kernel: DROP IN=vlan1 OUT= MAC=00:16:b6:ed:f3:d0:00:26:44:80:f3:79:08:00:45:00:00:3f SRC=192.168.70.1 DST=192.168.70.2 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=63502 PROTO=UDP SPT=1051 DPT=53 LEN=43
    The IP tables output requested above (by Bird333) is:
    Note: For security I have replaced the WAN IP address where noted with xxx.xx.xxx.xx

    Code:
    Command - iptables -L -nv -t nat
     
    Chain PREROUTING (policy ACCEPT 68561 packets, 12M bytes)
    pkts bytes target    prot opt in    out    source              destination     
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:1194
    2989  570K WANPREROUTING  all  --  *      *      0.0.0.0/0            xxx.xx.xxx.xx [I](WAN IP - full address was shown)[/I]
        0    0 DROP      all  --  ppp0  *      0.0.0.0/0            192.168.77.0/26 
        0    0 DNAT      udp  --  *      *      192.168.77.0/26    !192.168.77.0/26    udp dpt:53 to:192.168.77.62
    2988  569K upnp      all  --  *      *      0.0.0.0/0            xxx.xx.xxx.xx [I](WAN IP - full address was shown)[/I]   
     
    Chain POSTROUTING (policy ACCEPT 5674 packets, 721K bytes)
    pkts bytes target    prot opt in    out    source              destination     
      198  9504 MASQUERADE  all  --  *      vlan1  0.0.0.0/0            192.168.70.0/30 
    13490 1517K MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0       
        0    0 MASQUERADE  all  --  *      vlan1  0.0.0.0/0            192.168.70.1   
    3978  452K SNAT      all  --  *      br0    192.168.77.0/26      192.168.77.0/26    to:192.168.77.62
     
    Chain OUTPUT (policy ACCEPT 12401 packets, 1358K bytes)
    pkts bytes target    prot opt in    out    source              destination     
     
    Chain WANPREROUTING (1 references)
    pkts bytes target    prot opt in    out    source              destination     
        0    0 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:192.168.77.62
        0    0 DNAT      udp  --  *      *      217.10.79.23        0.0.0.0/0          udp dpts:8000:8012 to:192.168.77.58
        0    0 DNAT      udp  --  *      *      217.10.79.23        0.0.0.0/0          udp dpts:16384:16482 to:192.168.77.59
        1  987 DNAT      udp  --  *      *      217.10.79.23        0.0.0.0/0          udp dpt:5160 to:192.168.77.58:5160
        0    0 DNAT      udp  --  *      *      217.10.79.23        0.0.0.0/0          udp dpt:5260 to:192.168.77.58:5260
        0    0 DNAT      udp  --  *      *      217.10.79.23        0.0.0.0/0          udp dpt:5060 to:192.168.77.59:5060
        0    0 DNAT      udp  --  *      *      217.10.68.152        0.0.0.0/0          udp dpt:10000 to:192.168.77.59:10000
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:443 to:192.168.77.1:443
        0    0 DNAT      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:1195 to:192.168.77.61:1195
        0    0 DNAT      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:1194 to:192.168.77.62:1194
     
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination    
    Code:
    Command - iptables -L -nv :
     
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination     
        0    0 ACCEPT    all  --  tun21  *      0.0.0.0/0            0.0.0.0/0       
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:1194
        5  896 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    7433  745K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        4  184 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
        2  120 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:23 state NEW
      17  1071 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0       
    66086  15M ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0       
    1022 36792 ACCEPT    2    --  *      *      0.0.0.0/0            224.0.0.0/4     
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            224.0.0.0/4        udp dpt:!1900
    9423  968K logdrop    all  --  *      *      0.0.0.0/0            0.0.0.0/0       
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination     
        0    0 ACCEPT    all  --  tun21  *      0.0.0.0/0            0.0.0.0/0       
        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0       
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    14982  865K TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    321K  70M restrict  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0       
    320K  70M monitor    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0       
    620K  239M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        1  987 wanin      all  --  ppp0  *      0.0.0.0/0            0.0.0.0/0       
    12275 1579K wanout    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0       
    12473 1588K ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0       
        0    0 upnp      all  --  ppp0  *      0.0.0.0/0            0.0.0.0/0       
     
    Chain OUTPUT (policy ACCEPT 34496 packets, 6682K bytes)
    pkts bytes target    prot opt in    out    source              destination     
     
    Chain logdrop (20 references)
    pkts bytes target    prot opt in    out    source              destination     
    9268  939K LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW limit: avg 1/sec burst 5 LOG flags 7 level 4 prefix `DROP '
    9495  974K DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0       
     
    Chain logreject (0 references)
    pkts bytes target    prot opt in    out    source              destination     
        0    0 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          limit: avg 1/sec burst 5 LOG flags 7 level 4 prefix `REJECT '
        0    0 REJECT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          reject-with tcp-reset
     
    Chain monitor (1 references)
    pkts bytes target    prot opt in    out    source              destination     
        0    0 RETURN    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          WEBMON --max_domains 50 --max_searches 1
     
    Chain rdev01 (0 references)
    pkts bytes target    prot opt in    out    source              destination     
        0    0 logdrop    all  --  *      *      0.0.0.0/0            0.0.0.0/0          MAC 00:23:CC:74:78:B0
        0    0 logdrop    all  --  *      *      0.0.0.0/0            0.0.0.0/0          MAC 00:24:1E:23:F8:8D
     
    Chain restrict (1 references)
    pkts bytes target    prot opt in    out    source              destination     
    321K  70M rres00    all  --  *      *      0.0.0.0/0            0.0.0.0/0       
     
    Chain rres00 (1 references)
    pkts bytes target    prot opt in    out    source              destination     
        0    0 logdrop    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          ipp2p v0.8.1_rc1 --ipp2p
        0    0 logdrop    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          ipp2p v0.8.1_rc1 --ipp2p
        0    0 logdrop    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          multiport ports 113,135,137,138,139,712
      72  5616 logdrop    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          multiport ports 113,135,137,138,139,712
        0    0 logdrop    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto msnmessenger
        0    0 logdrop    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto msnmessenger
        0    0 logdrop    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto netbios
        0    0 logdrop    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto netbios
        0    0 logdrop    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto msn-filetransfer
        0    0 logdrop    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto msn-filetransfer
        0    0 logdrop    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto ident
        0    0 logdrop    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto ident
        0    0 logdrop    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          multiport ports 5800:5810,5900:5910
        0    0 logdrop    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          multiport ports 5800:5810,5900:5910
        0    0 logdrop    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto vnc
        0    0 logdrop    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto vnc
     
    Chain shlimit (2 references)
    pkts bytes target    prot opt in    out    source              destination     
        6  304            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
        0    0 logdrop    all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 300 hit_count: 4 name: shlimit side: source
     
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination     
     
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination     
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            224.0.0.0/4     
        0    0 ACCEPT    udp  --  *      *      217.10.79.23        192.168.77.58      udp dpts:8000:8012
        0    0 ACCEPT    udp  --  *      *      217.10.79.23        192.168.77.59      udp dpts:16384:16482
        1  987 ACCEPT    udp  --  *      *      217.10.79.23        192.168.77.58      udp dpt:5160
        0    0 ACCEPT    udp  --  *      *      217.10.79.23        192.168.77.58      udp dpt:5260
        0    0 ACCEPT    udp  --  *      *      217.10.79.23        192.168.77.59      udp dpt:5060
        0    0 ACCEPT    udp  --  *      *      217.10.68.152        192.168.77.59      udp dpt:10000
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.77.1        tcp dpt:443
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.77.61      udp dpt:1195
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.77.62      udp dpt:1194
     
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination  
     
  9. Bird333

    Bird333 Network Guru Member

    Add this to your firewall rules
    Code:
    /usr/sbin/iptables -t nat -I FORWARD -p tcp -d 192.168.70.50 --dport 514 -j ACCEPT
     
  10. mstombs

    mstombs Network Guru Member

    syslog is broadcast udp default port 514, its connectionless so that if log server not listening messages just get lost - the sender doesn't bother with retries etc (especially the classic log message crash ": cannot send log message to YYY"... )
     
  11. Bird333

    Bird333 Network Guru Member

    OP, based on what mstombs just posted. Change the rule to this
    Code:
    /usr/sbin/iptables -t nat -I FORWARD -p udp -d 192.168.70.50 --dport 514 -j ACCEPT
    Also change your prerouting rule to '-p udp'.
     
  12. paped

    paped LI Guru Member

    Tried the above rules combo but for some reason I was still getting the drops and the odd very long mac address in the error output.

    However I have played some more and managed to get the DNS and NTP working, also I think the rules for syslog are sorted but its not working yet as the modems syslog server seems to have a problem.

    For reference what I have done is:

    NTP - I am using a server within my network but I would have thought that an external server would also work (but not tested). The rules I have used are:

    Code:
    # Modem NTP Allow
    /usr/sbin/iptables -A INPUT -p udp -s 192.168.70.0/30 --dport 123 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -p udp -s 192.168.70.0/30 --dport 123 -j ACCEPT
    DNS - I have used the following rules and DNS works but have found that I need to use an internet based ISP DNS server rather than the routers internal DNS server.

    Code:
    # Modem DNS Allow
    /usr/sbin/iptables -A INPUT -p udp -s 192.168.70.0/30 --dport 53 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -p udp -s 192.168.70.0/30 --dport 53 -j ACCEPT
    Syslog - The rules are as follows - As above this is not working yet but it seems to be a problem with the modem's syslog server not sending the data rather than a rules problem.

    Code:
    # Modem Syslog Allow
    /usr/sbin/iptables -A INPUT -p udp -s 192.168.70.0/30 --dport 514 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -p udp -s 192.168.70.0/30 --dport 514 -j ACCEPT
    Obviously these rules do not limit by destination but do limit by source and port, the destination used appears to the the actual addresses input in to the modem itself i.e. the DNS address in the modem DNS client set-up, the NTP address in the NTP client set-up etc.

    Thought I would post my solution and hopefully this info may help others.

    Thank you for your help, you certainly got me on the right track....
     
  13. Monk E. Boy

    Monk E. Boy Network Guru Member

    INPUT is only used if the service is running directly on the router itself. Otherwise the INPUT table is bypassed.

    There is also the WANPREROUTING chain hanging on the NAT table that affects WAN traffic. I think port forwarding adds entries to it.

    Basically what you need to do is create some port forwards, find all the iptables entries related to those port forwards, then create similar but modified rules so you're not blanket allowing all internet devices to access your syslog server, etc.
     
  14. paped

    paped LI Guru Member

    I may have got confused here then, as I am only allowing traffic from 192.168.70.0/30 which is VLAN1 on my WAN interface and hence is an internal network? As the internet is PPPoE on my router hence uses interface ppp0, my modem only terminates the DSL link and the router via ppp0 controls the internet connection, logs in to ISP etc. So with VLAN1 having a private 192 address space I thought that they were on the same physical interface but logically separate kind of 2 separate VLANs as such?

    With it all working thought I had it sorted.... :(

    Thanks for the additional info will comment them out and reboot tonight and have another look tomorrow night....
     
  15. paped

    paped LI Guru Member

    Done some more testing to try and get this straight in my own mind...

    I did:

    1) Re-enabled the rules but changed them from "udp" to "all" so they would accept any traffic.
    2) Rebooted router to ensure that the new rules were in place.
    3) Used the Shields Up web scanner to port scan/test my service ports - 1 to 1024. This is a TCP/ping test of each port, which I have used before and which the "all" in the rules should then allow/answer.

    However the results seem to confirm my thinking above (in my mind/understanding at least), as none of the ports for DNS, Syslog or NTP answered, not sure about the DNS/Syslog but NTP if these ports were open to the internet as there is a valid time server there that as standard uses udp but should accept tcp as well, so I should in theory have had a response?

    So I am a bit confused around how insecure or secure the above is or is not? Any advice appreciated?
     
  16. Bird333

    Bird333 Network Guru Member

    I think you are safe with your rules as you said. You don't need the INPUT rules. They are only for accessing services that are running on the router itself.
     

Share This Page