1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Scripts don't seem to work

Discussion in 'Tomato Firmware' started by neurolysis, Jan 21, 2011.

  1. neurolysis

    neurolysis Networkin' Nut Member

    Hi,

    I have recently started using Tomato with my WRT54GL, and have found the transition painless and enjoyable so far. I am, however, rather paranoid about my security, so I like to set up iptables rules to limit most administrative capabilities to myself, both by cipher, and by annoyance (ip/mac limitation).

    I currently have the following script, which (I think? been a while since I worked with iptables) should throttle dictionary/brute attacks on the SSH daemon. However, it doesn't seem to do anything:

    Code:
    ## Block SSH brute force
    # 15 seconds between attempts
    iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
    iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set -j ACCEPT
    
    # Filter MAC and IP
    iptables -A INPUT -m mac -s 192.168.1.59 --mac-source 00:00:00:00:00:00 -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j DROP
    (obviously that's not the real MAC passed to --mac-source)

    I have tried putting these in the firewall scripts page, which didn't seem to work, and then the init scripts page, which also doesn't seem to work. When I do iptables -L over ssh I get the following:

    Code:
    # iptables -L | fgrep ssh
    # iptables -A INPUT -m mac -s 192.168.1.59 --mac-source 00:00:00:00:00:00 -p tcp --dport ssh -j ACCEPT
    # iptables -L | fgrep ssh
    ACCEPT     tcp  --  192.168.1.59         anywhere            MAC 00:00:00:00:00:00 tcp dpt:ssh
    #
    
    As you can see, it's like the script does nothing, because it is listed if I do it manually.

    Any ideas?

    Thanks! :)

    EDIT: Oh, and by the way, I'm using Tomato 1.28.
     
  2. shibby20

    shibby20 Network Guru Member

    in tomato 1.28 you have "fail2ban" for ssh na telnet.

    check administration -> admin access -> Admin Restrictions

    Allowed Remote IP Address
    Limit Connection Attempts (3 times fail = ban for 60 secunds)
     
  3. mstombs

    mstombs Network Guru Member

    You are "Adding" to the filter list - so you need to look at all entries, something above will have precedence - try "-I" to insert at top.

    You must use Firewall script, init runs too early, and rules get wiped and reinstated on wan connect event.
     
  4. neurolysis

    neurolysis Networkin' Nut Member

    Thanks, but I don't really want to allow remote IP addresses, and my ipfilters list is longer than just that.

    Thanks, I'll try that. Shouldn't it still show up in the rules, though?
     
  5. TT76

    TT76 Networkin' Nut Member

    I don't know why, but I have tried it in my router with teddy bear usbmod 1.28-k26-mipsR1-nousb-vpn, and it worked.
     
  6. neurolysis

    neurolysis Networkin' Nut Member

    For the record, this is my entire firewall script:

    Code:
    # Accept previously established connections
    iptables -A INPUT -j ACCEPT -p tcp ! --syn -s 0/0 -d (outer ip/net)
    
    ## Drop bad packets
    # Drop Christmas tree packets
    iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
    
    # Drop null packets
    iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
    
    # Drop TCP-CONNECT scan attempts (SYN bit packets)"
    iptables -A INPUT -p tcp --syn -j DROP
    
    # Drop TCP-SYN scan attempts (only SYN bit packets)
    iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH SYN -j DROP
    
    # Drop TCP-FIN scan attempts (only FIN bit packets)
    iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP
    
    # Drop TCP-ACK scan attempts (only ACK bit packets)
    iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP
    
    # Drop ping of death
    iptables -A INPUT -p ICMP --icmp-type echo-request -m length --length 60:65535 -j ACCEPT
    
    # Drop teardrop
    iptables -A INPUT -p UDP -j DROP
    
    # Drop SYN flood
    iptables -A INPUT -p TCP --syn -m iplimit --iplimit-above 9 -j DROP
    
    # Drop smurf attack
    iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
    iptables -A INPUT -p ICMP --icmp-type echo-request -m pkttype --pkttype broadcast -j DROP
    iptables -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 3/s -j ACCEPT
    
    # Drop UDP flood (pepsi)
    iptables -A INPUT -p UDP --dport 7 -j DROP
    iptables -A INPUT -p UDP --dport 19 -j DROP
    
    # Drop SMBnuke
    iptables -A INPUT -p UDP --dport 135:139 -j DROP
    iptables -A INPUT -p TCP --dport 135:139 -j DROP
    
    # Drop connection flood
    iptables -A INPUT -p TCP --syn -m iplimit --iplimit-above 3 -j DROP
    
    # Drop Fraggle
    iptables -A INPUT -p UDP -m pkttype --pkt-type broadcast -j DROP
    iptables -A INPUT -p UDP -m limit --limit 3/s -j ACCEPT
    
    # Drop Jolt
    iptables -A INPUT -p ICMP -j DROP
    
    # Drop ICMP ping
    iptables -A INPUT -p ICMP --icmp-type echo-request -j DROP
    
    ## Drop spoofed packets that look internal
    iptables -t nat -I PREROUTING 1 -s 192.168.0.0/16 -j DROP 
    
    ## Block SSH brute force
    # 15 seconds between attempts
    iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
    iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set -j ACCEPT
    
    # Filter MAC and IP
    iptables -A INPUT -m mac -s 192.168.1.59 --mac-source 00:00:00:00:00:00 -p tcp --dport ssh -j ACCEPT
    iptables -A INPUT -p tcp --dport ssh -j DROP
    None of these rules seem to show up when doing iptables -L, it's like the script never runs.
     
  7. TT76

    TT76 Networkin' Nut Member

    I have tried this script, some of them didn.t work,
    iptables -A INPUT -j ACCEPT -p tcp ! --syn -s 0/0 -d (outer ip/net)(I guess you know "outer ip/net should be replace a real ip segment or address")
    line 5,6,7 cause conntrack module is not included in tomato, the same with iplimit and pkttype module so those lines related don't work too.
    in addition regarding recent module,you have to load it in script with command "insmod xt_recent"
     
  8. sExcaMlive

    sExcaMlive Networkin' Nut Member

    free cam

    i'm really happy to be member of this portal, i hope that i can learn and find new friends :)
     
  9. neurolysis

    neurolysis Networkin' Nut Member

    Ok, thanks, that now works! :)
     

Share This Page