Posted: Mon Sep 10, 2018 14:31 Post subject: Firewall script for R7000
Hello All,
I have searched the forum but did not find a firewall script (iptables) that I can use to harden firewall security.
However, in my search I came across adblocking script posted by Alozaros that works well. Thanks Alozaros!
I have the SPI firewall with some of the options enabled.
R7000
Firmware: v3.0-r36070M Kong (05/31/2018)
If you'll can please share your firewall script and make suggestions to harden firewall protection. Thanks in advance.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Tue Sep 11, 2018 18:26 Post subject:
well, it depends what you want to cut off...
of course you can add some rules to harden your router
but in most of the cases you must know what is all about and what to block and what not to block..
for example yep there are few lines to make it more robust
and i ll not lie i do use quite a few extra rules to block this and that in terms of internal service or app wants to get an access to WAN service or trough WAN something to look for LAN for example my ISP is trying port 80 on INPUT chain or 8080 so im forced to have some extra rules to protect those in my case...
this few are quite standard you can use them with no harm
iptables -t mangle -I PREROUTING -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
iptables -I INPUT -f -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -I FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -I FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -I FORWARD -f -j DROP
iptables -I FORWARD -p tcp ! --syn -m state --state NEW -j DROP
unless you don't use those WAN ports you can fairly block them too
iptables -I FORWARD -p udp --dport 25 -j DROP
iptables -I FORWARD -p tcp -o `get_wanface` --dport 25 -j REJECT
iptables -I FORWARD -p tcp --dport 25 -j DROP
iptables -I FORWARD -p tcp --dport 137 -j DROP
iptables -I FORWARD -p tcp --dport 138 -j DROP
iptables -I FORWARD -p tcp --dport 139 -j DROP
iptables -I FORWARD -p tcp --dport 445 -j DROP
iptables -I FORWARD -p tcp --dport 502 -j DROP
iptables -I FORWARD -p tcp --dport 31337 -j DROP
iptables -I FORWARD -p udp --dport 137 -j DROP
iptables -I FORWARD -p udp --dport 138 -j DROP
iptables -I FORWARD -p udp --dport 139 -j DROP
iptables -I FORWARD -p udp --dport 445 -j DROP
iptables -I FORWARD -p udp --dport 31337 -j DROP
iptables -I OUTPUT -f -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j REJECT
iptables -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A OUTPUT -p tcp --tcp-flags ALL ALL -j REJECT
iptables -A OUTPUT -p tcp --tcp-flags ALL NONE -j REJECT _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Sun Sep 16, 2018 10:21; edited 1 time in total
I must say it works pretty well. However, my voip (OBI200 with Google Voice) is not connecting.
The issue is with assigning IP address for obi200. So, I connected it directly to the router
(R700, firmware: v3.0-r36840M kongac (09/03/2018))and it started to work.
The moment I move the obi200 downstairs (where it was originally) it goes back to 'IP address unavailable'
Is this to do with the above script I am using? Preferable I would like to resolve
IP address issue before I try your new script. Any solutions you have in mind?
Once again thanks for your response and sharing firewall scripts- truly appreciated.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Fri Sep 14, 2018 5:37 Post subject:
well this ad blocking script blocks a list of particular advert sites, as you stated when connected directly to the router it works so it must be a lack of signal issue...
those script are saved in start up script the other iptables rules above must be saved in firewall script (the other button) _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
well, it depends what you want to cut off...
of course you can add some rules to harden your router
but in most of the cases you must know what is all about and what to block and what not to block..
for example yep there are few lines to make it more robust
and i ll not lie i do use quite a few extra rules to block this and that in terms of internal service or app wants to get an access to WAN service or trough WAN something to look for LAN for example my ISP is trying port 80 on INPUT chain or 8080 so im forced to have some extra rules to protect those in my case...
this few are quite standard you can use them with no harm
iptables -t mangle -I PREROUTING -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
iptables -I INPUT -f -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -I FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -I FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -I FORWARD -f -j DROP
iptables -I FORWARD -p tcp ! --syn -m state --state NEW -j DROP
unless you don't use those WAN ports you can fairly block them too
iptables -I FORWARD -p udp --dport 25 -j DROP
iptables -I FORWARD -p tcp -o `get_wanface` --dport 25 -j REJECT
iptables -I FORWARD -p tcp --dport 25 -j DROP
iptables -I FORWARD -p tcp --dport 137 -j DROP
iptables -I FORWARD -p tcp --dport 139 -j DROP
iptables -I FORWARD -p tcp --dport 445 -j DROP
iptables -I FORWARD -p tcp --dport 502 -j DROP
iptables -I FORWARD -p tcp --dport 31337 -j DROP
iptables -I FORWARD -p udp --dport 137 -j DROP
iptables -I FORWARD -p udp --dport 138 -j DROP
iptables -I FORWARD -p udp --dport 139 -j DROP
iptables -I FORWARD -p udp --dport 445 -j DROP
iptables -I FORWARD -p udp --dport 31337 -j DROP
iptables -I OUTPUT -f -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j REJECT
iptables -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A OUTPUT -p tcp --tcp-flags ALL ALL -j REJECT
iptables -A OUTPUT -p tcp --tcp-flags ALL NONE -j REJECT
Is there a particular reason for not blocking TCP port 138 or UDP port 502? Also,could you briefly go over that the OUTPUT rules do? Thanks.
well this ad blocking script blocks a list of particular advert sites, as you stated when connected directly to the router it works so it must be a lack of signal issue...
those script are saved in start up script the other iptables rules above must be saved in firewall script (the other button)
Thanks. You are probably right. I connected the voip device to the extender, it works straight of the bat.
Understood- iptables script placements.
Speaking about poor signal. I am frustrated with fluctuating signal strength (Rate) at the router level.
2.4G can vary from 70-300 Mbps and 5G varies from 170-433 Mbps. I have tried various settings but unable
to get a steady rate. Can you please suggest settings that I can try? Many Thanks.
It all depends of what channel your neighbours are using.
Thanks. I have used 20 Mhz in the past including site survey and found it to be worse.
In fact I just did a site survey and 90% of my neighbors are on 1,6 or 11. I understand
the limitations posed by the wireless card, drivers etc. but don't know why there is such a huge
spread between min and max. Especially with 5 Ghz.
All the same, I am happy to test it again. Suggestions on 5G settings?
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Sun Sep 16, 2018 10:27 Post subject:
AKA_SK wrote:
Is there a particular reason for not blocking TCP port 138 or UDP port 502? Also,could you briefly go over that the OUTPUT rules do? Thanks.
well, as i said its good to know what all this thing does so in my case i want to block those for a reason
SMB operations on Windows machines its up to your system requirements so that's why its good to know
http://ipset.netfilter.org/iptables.man.html https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/ https://wiki.dd-wrt.com/wiki/index.php/Iptables_command
just do keep in mind in order to fit the flash size DD-WRT uses a adapted and striped version of IPTABLES
so on some routers, some commands/variables are not there .... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
The start up ad blocking script I mentioned at the top of the thread has some ad's coming through. Is that normal? I take it one cannot fully plug this as sacrifices in other areas will be made (?) Thanks
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Sep 19, 2018 17:33 Post subject:
Jay461 wrote:
@Alozaros
The start up ad blocking script I mentioned at the top of the thread has some ad's coming through. Is that normal? I take it one cannot fully plug this as sacrifices in other areas will be made (?) Thanks
yep there are few variety's of ad-blocking scripts all
they are using host list to block D/L from a web site
so it is possible some adverts to survive as those lists are
updated on intervals of time