SKFREE
Troubleshooting - IPtables na DD-WRT
bagocina - 27.01.2015 - 09:13
Post subject: IPtables na DD-WRT
Zdravím vospolok
Mám taký problémik s rozbehaním blokovania portov na TP-Linku WR741ND v4. Mám tam DD-WRT, no ako sa snažím tak sa snažím, porty neblokuje ani za svet. Potreboval aby som aby boli dostupné len porty 80 a 443. Pregooglil som dva dni skúšal aj z DD-WRT Wiki
Code: › iptables -I FORWARD 1 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -j DROP
aj vygooglené
Code: ›
iptables -F
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP
no za živý svet. Stále mám všetko dostupné.
Vopred ďakujem z pomoc.
deadbiker - 27.01.2015 - 09:37
Post subject: IPtables na DD-WRT
Asi najdolezitejsie je uviest aky build pouzivas. Je dost mozne ze ma nejaky problem. Ja si napriklad pamatam na situaciu ked nefungoval portfowarding.
bagocina - 27.01.2015 - 09:38
Post subject:
DD-WRT v24-sp2 (03/25/13) std
(SVN revision 21061)
deadbiker - 27.01.2015 - 09:53
Post subject:
Takze tam mas ten build co ponuka "ddwrt database" , ale uz ten 21061 je z 2013 roku. Ak mas cas skus uplne posledny co je na stiahnutie [url]http://dd-wrt.com/site/support/other-downloads?path=others%2Feko%2FBrainSlayer-V24-preSP2%2F
[/url] webflash image. Ja som "posledny 25697" nahral len do dir-600 a wrt54gl. Ci ma nejake muchy netusim.. ale zatial som na nic nenarazil kedze sluzia ako domaci router s portfowardingom. Skus.. Urob si backup konfiguracie predtym nez to reflashnes tou novou verziou. A este pri upgradu mozes nechat "After flashing, reset to" na "Dont reset" a ponecha ti to povodnu konfiguraciu (IP adresu, pravidla a ine...).
Ale ak mas cas mozes skusit googlovat ci ten starsi build nemal chybu vo firewalle.
bagocina - 27.01.2015 - 10:19
Post subject:
Spravil som upgrade, no bez výsledku. Stále rovnaké chovanie pri všetkých variantách.
Len čo ma zaujalo je z DD-WRT Wiki
Code: › iptables -I FORWARD 1 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 3 -j DROP
( http://www.dd-wrt.com/wiki/index.php/Iptables_command#Block_all_traffic_except_HTTP_HTTPS_and_FTP )
tak namiesto povolenia len 80 a 443 mi odpáli kompletne všetko.
deadbiker - 27.01.2015 - 10:27
Post subject:
Mam len otazku kam to vlastne zadavas?
bagocina - 27.01.2015 - 10:28
Post subject:
Do Command Shell a ukladám ako Firewall.
JOFO - 27.01.2015 - 11:06
Post subject:
To bude tym, ze mas zle poradie pravidiel... Spravne by malo byt taktoCode: ›
iptables -I FORWARD 3 -j DROP
iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 1 -p tcp -m multiport --dports 80,443 -j ACCEPT
To co mas ty ako prve dropne vsetko, takze na dalsie dve pravidla sa uz nedostane
deadbiker - 27.01.2015 - 11:10
Post subject:
lepsie bolo vypisat celu tabulku ipables -L
bagocina - 27.01.2015 - 11:57
Post subject:
Jofo: Dal som to v opačnom poradí ako si písal, no efekt rovnaký, ako som to mal predtým. Všetko odreže od sveta.
deadbiker:
Code: › Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
DROP udp -- anywhere anywhere udp dpt:route
DROP udp -- anywhere anywhere udp dpt:route
ACCEPT udp -- anywhere anywhere udp dpt:route
ACCEPT 0 -- anywhere anywhere
ACCEPT tcp -- anywhere Zoska_018 tcp dpt:www
DROP icmp -- anywhere anywhere
DROP igmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports www,https
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT gre -- 192.168.0.0/16 anywhere
DROP 0 -- anywhere anywhere
ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:1723
lan2wan 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
DROP 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain advgrp_1 (0 references)
target prot opt source destination
Chain advgrp_10 (0 references)
target prot opt source destination
Chain advgrp_2 (0 references)
target prot opt source destination
Chain advgrp_3 (0 references)
target prot opt source destination
Chain advgrp_4 (0 references)
target prot opt source destination
Chain advgrp_5 (0 references)
target prot opt source destination
Chain advgrp_6 (0 references)
target prot opt source destination
Chain advgrp_7 (0 references)
target prot opt source destination
Chain advgrp_8 (0 references)
target prot opt source destination
Chain advgrp_9 (0 references)
target prot opt source destination
Chain grp_1 (1 references)
target prot opt source destination
Chain grp_10 (0 references)
target prot opt source destination
Chain grp_2 (0 references)
target prot opt source destination
Chain grp_3 (0 references)
target prot opt source destination
Chain grp_4 (0 references)
target prot opt source destination
Chain grp_5 (0 references)
target prot opt source destination
Chain grp_6 (0 references)
target prot opt source destination
Chain grp_7 (0 references)
target prot opt source destination
Chain grp_8 (0 references)
target prot opt source destination
Chain grp_9 (0 references)
target prot opt source destination
Chain lan2wan (1 references)
target prot opt source destination
grp_1 0 -- anywhere anywhere
Chain logaccept (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT 0 -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
LOG 0 -- anywhere anywhere state INVALID LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP 0 -- anywhere anywhere