Firewall script for R7000

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
Jay461
DD-WRT Novice


Joined: 18 Jul 2018
Posts: 17

PostPosted: Mon Sep 10, 2018 14:31    Post subject: Firewall script for R7000 Reply with quote
Hello All,

I have searched the forum but did not find a firewall script (iptables) that I can use to harden firewall security.
However, in my search I came across adblocking script posted by Alozaros that works well. Thanks Alozaros!
I have the SPI firewall with some of the options enabled.
R7000
Firmware: v3.0-r36070M Kong (05/31/2018)

If you'll can please share your firewall script and make suggestions to harden firewall protection. Thanks in advance. Smile
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 2062
Location: Netherlands

PostPosted: Tue Sep 11, 2018 8:24    Post subject: Reply with quote
You can check your firewall by using shields up from Steve Gibson: https://www.grc.com/x/ne.dll?bh0bkyd2

If you are using DDWRT default options, all ports should be stealth/closed. That means the firewall is working Smile

_________________
Router Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2138
Location: London,UK

PostPosted: Tue Sep 11, 2018 18:26    Post subject: Reply with quote
well, it depends what you want to cut off...
of course you can add some rules to harden your router
but in most of the cases you must know what is all about and what to block and what not to block..
for example yep there are few lines to make it more robust
and i ll not lie i do use quite a few extra rules to block this and that in terms of internal service or app wants to get an access to WAN service or trough WAN something to look for LAN for example my ISP is trying port 80 on INPUT chain or 8080 so im forced to have some extra rules to protect those in my case...

this few are quite standard you can use them with no harm
iptables -t mangle -I PREROUTING -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
iptables -I INPUT -f -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -I FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -I FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -I FORWARD -f -j DROP
iptables -I FORWARD -p tcp ! --syn -m state --state NEW -j DROP

unless you don't use those WAN ports you can fairly block them too

iptables -I FORWARD -p udp --dport 25 -j DROP
iptables -I FORWARD -p tcp -o `get_wanface` --dport 25 -j REJECT
iptables -I FORWARD -p tcp --dport 25 -j DROP
iptables -I FORWARD -p tcp --dport 137 -j DROP
iptables -I FORWARD -p tcp --dport 138 -j DROP
iptables -I FORWARD -p tcp --dport 139 -j DROP
iptables -I FORWARD -p tcp --dport 445 -j DROP
iptables -I FORWARD -p tcp --dport 502 -j DROP
iptables -I FORWARD -p tcp --dport 31337 -j DROP
iptables -I FORWARD -p udp --dport 137 -j DROP
iptables -I FORWARD -p udp --dport 138 -j DROP
iptables -I FORWARD -p udp --dport 139 -j DROP
iptables -I FORWARD -p udp --dport 445 -j DROP
iptables -I FORWARD -p udp --dport 31337 -j DROP


iptables -I OUTPUT -f -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j REJECT
iptables -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A OUTPUT -p tcp --tcp-flags ALL ALL -j REJECT
iptables -A OUTPUT -p tcp --tcp-flags ALL NONE -j REJECT

_________________
Atheros
TP-Link WR740Nv4 .......DD-WRT 33986 BS (AP,NAT,AD Blocking,Firewall)
TP-Link WR1043NDv2 ------DD-WRT 37012 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall) Bricked (locked in)
TP-Link WR1043NDv2 ------DD-WRT 36808 BS (AP,NAT,AD Blocking,Firewall,No Wi-Fi)
TP-Link WR1043NDv2.......... Gargoyle OS 1.10 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ------------DD-WRT 36500M Kong (AP,NAT,AD-Blocking,AP Isolation, Firewall,DNSCrypt x2)
Broadcom
Netgear R7000 ---------DD-WRT 36410 Kong (AP,NAT,AD-Blocking,AP Isolation, Firewall,DNSCrypt x4)
Others
Netgear ProSAFE-GS105Ev2 ....(LAN Switch)


Last edited by Alozaros on Sun Sep 16, 2018 10:21; edited 1 time in total
Jay461
DD-WRT Novice


Joined: 18 Jul 2018
Posts: 17

PostPosted: Thu Sep 13, 2018 19:23    Post subject: Reply with quote
Thanks. Apologies for the delayed response. @Alozaros here is what I am using (stolen from you)

Save Start up:

wget -qO /tmp/mvps http://winhelp2002.mvps.org/hosts.txt
wget -qO /tmp/someonewhocares http://someonewhocares.org/hosts/zero/hosts
wget -qO /tmp/sbc http://sbc.io/hosts/hosts
stopservice dnsmasq && startservice dnsmasq

Additional DNSMasq Options:

addn-hosts=/tmp/mvps
addn-hosts=/tmp/someonewhocares
addn-hosts=/tmp/sbc

Additional Cron Jobs:

0 12 * * * root /tmp/.rc_startup

I must say it works pretty well. However, my voip (OBI200 with Google Voice) is not connecting.
The issue is with assigning IP address for obi200. So, I connected it directly to the router
(R700, firmware: v3.0-r36840M kongac (09/03/2018))and it started to work.
The moment I move the obi200 downstairs (where it was originally) it goes back to 'IP address unavailable'

Is this to do with the above script I am using? Preferable I would like to resolve
IP address issue before I try your new script. Any solutions you have in mind?

Once again thanks for your response and sharing firewall scripts- truly appreciated.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2138
Location: London,UK

PostPosted: Fri Sep 14, 2018 5:37    Post subject: Reply with quote
well this ad blocking script blocks a list of particular advert sites, as you stated when connected directly to the router it works so it must be a lack of signal issue...
those script are saved in start up script the other iptables rules above must be saved in firewall script (the other button)

_________________
Atheros
TP-Link WR740Nv4 .......DD-WRT 33986 BS (AP,NAT,AD Blocking,Firewall)
TP-Link WR1043NDv2 ------DD-WRT 37012 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall) Bricked (locked in)
TP-Link WR1043NDv2 ------DD-WRT 36808 BS (AP,NAT,AD Blocking,Firewall,No Wi-Fi)
TP-Link WR1043NDv2.......... Gargoyle OS 1.10 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ------------DD-WRT 36500M Kong (AP,NAT,AD-Blocking,AP Isolation, Firewall,DNSCrypt x2)
Broadcom
Netgear R7000 ---------DD-WRT 36410 Kong (AP,NAT,AD-Blocking,AP Isolation, Firewall,DNSCrypt x4)
Others
Netgear ProSAFE-GS105Ev2 ....(LAN Switch)
AKA_SK
DD-WRT User


Joined: 11 Jan 2018
Posts: 90

PostPosted: Fri Sep 14, 2018 5:39    Post subject: Reply with quote
Alozaros wrote:
well, it depends what you want to cut off...
of course you can add some rules to harden your router
but in most of the cases you must know what is all about and what to block and what not to block..
for example yep there are few lines to make it more robust
and i ll not lie i do use quite a few extra rules to block this and that in terms of internal service or app wants to get an access to WAN service or trough WAN something to look for LAN for example my ISP is trying port 80 on INPUT chain or 8080 so im forced to have some extra rules to protect those in my case...

this few are quite standard you can use them with no harm
iptables -t mangle -I PREROUTING -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
iptables -I INPUT -f -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -I FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -I FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -I FORWARD -f -j DROP
iptables -I FORWARD -p tcp ! --syn -m state --state NEW -j DROP

unless you don't use those WAN ports you can fairly block them too

iptables -I FORWARD -p udp --dport 25 -j DROP
iptables -I FORWARD -p tcp -o `get_wanface` --dport 25 -j REJECT
iptables -I FORWARD -p tcp --dport 25 -j DROP
iptables -I FORWARD -p tcp --dport 137 -j DROP
iptables -I FORWARD -p tcp --dport 139 -j DROP
iptables -I FORWARD -p tcp --dport 445 -j DROP
iptables -I FORWARD -p tcp --dport 502 -j DROP
iptables -I FORWARD -p tcp --dport 31337 -j DROP
iptables -I FORWARD -p udp --dport 137 -j DROP
iptables -I FORWARD -p udp --dport 138 -j DROP
iptables -I FORWARD -p udp --dport 139 -j DROP
iptables -I FORWARD -p udp --dport 445 -j DROP
iptables -I FORWARD -p udp --dport 31337 -j DROP


iptables -I OUTPUT -f -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j REJECT
iptables -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A OUTPUT -p tcp --tcp-flags ALL ALL -j REJECT
iptables -A OUTPUT -p tcp --tcp-flags ALL NONE -j REJECT


Is there a particular reason for not blocking TCP port 138 or UDP port 502? Also,could you briefly go over that the OUTPUT rules do? Thanks.
Jay461
DD-WRT Novice


Joined: 18 Jul 2018
Posts: 17

PostPosted: Fri Sep 14, 2018 13:17    Post subject: Reply with quote
Alozaros wrote:
well this ad blocking script blocks a list of particular advert sites, as you stated when connected directly to the router it works so it must be a lack of signal issue...
those script are saved in start up script the other iptables rules above must be saved in firewall script (the other button)


Thanks. You are probably right. I connected the voip device to the extender, it works straight of the bat.
Understood- iptables script placements.
Speaking about poor signal. I am frustrated with fluctuating signal strength (Rate) at the router level.
2.4G can vary from 70-300 Mbps and 5G varies from 170-433 Mbps. I have tried various settings but unable
to get a steady rate. Can you please suggest settings that I can try? Many Thanks.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 4243
Location: Akershus, Norway

PostPosted: Fri Sep 14, 2018 16:13    Post subject: Reply with quote
Don't use auto channel.

Use 20 Mhz, unless you don't have any neighbours.

It all depends of what channel your neighbours are using.
Jay461
DD-WRT Novice


Joined: 18 Jul 2018
Posts: 17

PostPosted: Fri Sep 14, 2018 17:05    Post subject: Reply with quote
Per Yngve Berg wrote:
Don't use auto channel.

Use 20 Mhz, unless you don't have any neighbours.

It all depends of what channel your neighbours are using.


Thanks. I have used 20 Mhz in the past including site survey and found it to be worse.
In fact I just did a site survey and 90% of my neighbors are on 1,6 or 11. I understand
the limitations posed by the wireless card, drivers etc. but don't know why there is such a huge
spread between min and max. Especially with 5 Ghz.Shocked
All the same, I am happy to test it again. Suggestions on 5G settings?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 4243
Location: Akershus, Norway

PostPosted: Fri Sep 14, 2018 17:36    Post subject: Reply with quote
20 Mhz will give you 56Mbit/s. On channel 1, you will not interfere with none on channel 6 and 11.

With 40 Mhz, you will use channel 6 also. I believe troughput is lowered when there is traffic on channel 6.

Have you tried 100 UU on the 5Ghz?
Jay461
DD-WRT Novice


Joined: 18 Jul 2018
Posts: 17

PostPosted: Fri Sep 14, 2018 18:30    Post subject: Reply with quote
Per Yngve Berg wrote:
20 Mhz will give you 56Mbit/s. On channel 1, you will not interfere with none on channel 6 and 11.

With 40 Mhz, you will use channel 6 also. I believe troughput is lowered when there is traffic on channel 6.

Have you tried 100 UU on the 5Ghz?


Thanks. I have set up the 2.4 Ghz per you suggestion and will monitor for a bit and report back.

I have not tried 100 UU. Is that with AC only? also, what channel?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 4243
Location: Akershus, Norway

PostPosted: Fri Sep 14, 2018 18:52    Post subject: Reply with quote
VHT80 is AC only. N type clients connect as VHT40.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2138
Location: London,UK

PostPosted: Sun Sep 16, 2018 10:27    Post subject: Reply with quote
AKA_SK wrote:

Is there a particular reason for not blocking TCP port 138 or UDP port 502? Also,could you briefly go over that the OUTPUT rules do? Thanks.


well, as i said its good to know what all this thing does so in my case i want to block those for a reason
SMB operations on Windows machines its up to your system requirements so that's why its good to know
http://ipset.netfilter.org/iptables.man.html
https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command
just do in mind in order to fit the flash size DD-WRT uses a adapted and striped version of IPTABLES
so on some routers, some commands/variables are not there ....

_________________
Atheros
TP-Link WR740Nv4 .......DD-WRT 33986 BS (AP,NAT,AD Blocking,Firewall)
TP-Link WR1043NDv2 ------DD-WRT 37012 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall) Bricked (locked in)
TP-Link WR1043NDv2 ------DD-WRT 36808 BS (AP,NAT,AD Blocking,Firewall,No Wi-Fi)
TP-Link WR1043NDv2.......... Gargoyle OS 1.10 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ------------DD-WRT 36500M Kong (AP,NAT,AD-Blocking,AP Isolation, Firewall,DNSCrypt x2)
Broadcom
Netgear R7000 ---------DD-WRT 36410 Kong (AP,NAT,AD-Blocking,AP Isolation, Firewall,DNSCrypt x4)
Others
Netgear ProSAFE-GS105Ev2 ....(LAN Switch)
Jay461
DD-WRT Novice


Joined: 18 Jul 2018
Posts: 17

PostPosted: Wed Sep 19, 2018 16:42    Post subject: Reply with quote
@Alozaros

The start up ad blocking script I mentioned at the top of the thread has some ad's coming through. Is that normal? I take it one cannot fully plug this as sacrifices in other areas will be made (?) Thanks
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2138
Location: London,UK

PostPosted: Wed Sep 19, 2018 17:33    Post subject: Reply with quote
Jay461 wrote:
@Alozaros

The start up ad blocking script I mentioned at the top of the thread has some ad's coming through. Is that normal? I take it one cannot fully plug this as sacrifices in other areas will be made (?) Thanks


yep there are few variety's of ad-blocking scripts all
they are using host list to block D/L from a web site
so it is possible some adverts to survive as those lists are
updated on intervals of time

add those to your additional DNSmasq options

address=/reg.for.free/0.0.0.0
address=/www.namecheap.com/0.0.0.0
address=/ns0.dnsmadeeasy.com/0.0.0.0
address=/ns1.dnsmadeeasy.com/0.0.0.0
address=/ns2.dnsmadeeasy.com/0.0.0.0
address=/ns3.dnsmadeeasy.com/0.0.0.0
address=/ns4.dnsmadeeasy.com/0.0.0.0
address=/67.211.101.46.in-addr.arpa/0.0.0.0
address=/microsoft.com-m-uk-sic2.receive-your-awards-now.faith/0.0.0.0
address=/petite.oss-us-west-1.aliyuncs.com/0.0.0.0
address=/PDNS249.ULTRADNS.NET/0.0.0.0
address=/PDNS249.ULTRADNS.COM/0.0.0.0
address=/PDNS249.ULTRADNS.BIZ/0.0.0.0
address=/PDNS249.ULTRADNS.ORG/0.0.0.0
address=/online-metrix.net/0.0.0.0
address=/mob.d.aa.online-metrix.net/0.0.0.0
address=/xml.pdn-1.com/0.0.0.0
address=/NS-1306.AWSDNS-35.ORG/0.0.0.0
address=/NS-1597.AWSDNS-07.CO.UK/0.0.0.0
address=/NS-418.AWSDNS-52.COM/0.0.0.0
address=/NS-666.AWSDNS-19.NET/0.0.0.0
address=/vjlyawirxl.spotilocal.com/0.0.0.0
address=/yxpetmfaui.spotilocal.com/0.0.0.0
address=/ns2.spotify.net/0.0.0.0
address=/ns2.spotify.com/0.0.0.0
address=/ns3.spotify.com/0.0.0.0
address=/ns4.spotify.com/0.0.0.0
address=/ns5.spotify.com/0.0.0.0
address=/ns2.pickytime.com/0.0.0.0
address=/ns3.pickytime.com/0.0.0.0
address=/ns1.pickytime.com/0.0.0.0
address=/204.155.159.38/0.0.0.0
address=/2mdn.net/0.0.0.0
address=/2o7.net/0.0.0.0
address=/360yield.com/0.0.0.0
address=/ad-center.com/0.0.0.0
address=/ad-inside.com/0.0.0.0
address=/adbrite.com/0.0.0.0
address=/adinfuse.com/0.0.0.0
address=/admob.com/0.0.0.0
address=/admob.mobi/0.0.0.0
address=/NS8.ALIBABAONLINE.COM/0.0.0.0
address=/NSHZ.ALIBABAONLINE.COM/0.0.0.0
address=/NSP.ALIBABAONLINE.COM/0.0.0.0
address=/NSP2.ALIBABAONLINE.COM/0.0.0.0
address=/NS4.TAOBAO.COM/0.0.0.0
address=/NS5.TAOBAO.COM/0.0.0.0
address=/NS6.TAOBAO.COM/0.0.0.0
address=/NS7.TAOBAO.COM/0.0.0.0
address=/2mdnsys.com/0.0.0.0
address=/adsrvr.org/0.0.0.0
address=/amazon-adsystem.com/0.0.0.0
address=/appdynamics.asia/0.0.0.0
address=/appdynamics.biz/0.0.0.0
address=/appdynamics.com/0.0.0.0
address=/appdynamics.info/0.0.0.0
address=/appdynamics.mobi/0.0.0.0
address=/appdynamics.net/0.0.0.0
address=/appdynamics.org/0.0.0.0
address=/appdynamics.us/0.0.0.0
address=/coin-service.com/0.0.0.0
address=/demdex.com/0.0.0.0
address=/demdex.net/0.0.0.0
address=/doubleclick-analytics.com/0.0.0.0
address=/doubleclick.be/0.0.0.0
address=/doubleclick.com/0.0.0.0
address=/doubleclick.de/0.0.0.0
address=/doubleclick.net/0.0.0.0
address=/googlesyndication.com/0.0.0.0
address=/mgid.com/0.0.0.0
address=/moatads.com/0.0.0.0
address=/oclasrv.com/0.0.0.0
address=/popads.net/0.0.0.0
address=/popadscdn.net/0.0.0.0
address=/smartadserver.com/0.0.0.0
address=/taboola.com/0.0.0.0
address=/velocecdn.com/0.0.0.0

and you can use different script instead where you can add more web lists
just do in mind wget works only with http sources

wget -qO /tmp/mvps http://winhelp2002.mvps.org/hosts.txt
wget -qO /tmp/someonewhocares http://someonewhocares.org/hosts/zero/hosts
wget -qO /tmp/sbc http://sbc.io/hosts/hosts
stopservice dnsmasq && startservice dnsmasq

Add Under Setup/Services/DNSMasq/Additional DNSMasq Options:

addn-hosts=/tmp/mvps
addn-hosts=/tmp/someonewhocares
addn-hosts=/tmp/sbc

Add to cronjob
0 12 * * * root /tmp/.rc_startup

_________________
Atheros
TP-Link WR740Nv4 .......DD-WRT 33986 BS (AP,NAT,AD Blocking,Firewall)
TP-Link WR1043NDv2 ------DD-WRT 37012 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall) Bricked (locked in)
TP-Link WR1043NDv2 ------DD-WRT 36808 BS (AP,NAT,AD Blocking,Firewall,No Wi-Fi)
TP-Link WR1043NDv2.......... Gargoyle OS 1.10 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ------------DD-WRT 36500M Kong (AP,NAT,AD-Blocking,AP Isolation, Firewall,DNSCrypt x2)
Broadcom
Netgear R7000 ---------DD-WRT 36410 Kong (AP,NAT,AD-Blocking,AP Isolation, Firewall,DNSCrypt x4)
Others
Netgear ProSAFE-GS105Ev2 ....(LAN Switch)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum