lazardo DD-WRT User
Joined: 17 Apr 2014 Posts: 140 Location: SF Bay Area
|
Posted: Sun Jan 27, 2019 6:42 Post subject: modifying default firewall w iptables-restore |
|
This is a fully working code fragment from a dynamic firewall script still in development. I'm seeing traditional source patterns shift to distributed VPS with the side effect of diluting effectiveness for old school country blocks. Below is the launch module which adds rules to /tmp/.ipt and restarts the firewall.
Here we see 327 CIDR and port blocks get added to the baseline in 140ms, the firewall completely rebuilt and active in 30ms, e.g., faster than most ping latencies:
Code: | root@dd-wrt:/tmp# time sh ./test.ipt
236 rules added
89 492 3034 .ipt
327 2062 12471 ipt.cidr
416 2554 15505 total
not yet
real 0m 0.14s
user 0m 0.09s
sys 0m 0.07s
root@dd-wrt:/tmp# echo $(( 236 + 89 + 2 ))
327
root@dd-wrt:/tmp# time iptables-restore /tmp/ipt.cidr || startservice firewall
real 0m 0.03s
user 0m 0.03s
sys 0m 0.00s
|
Code: | #!/bin/sh
# iptables-restore rules injector
OK="not yet" # launch key
cd /tmp
SOURCE=.ipt # native DD-WRT firewall
TARGET=ipt.cidr # DD-WRT + NEW
BLOCKS=rt_block.cidr # your CIDR/port block list
# edit insert point if you know iptables better than DD-WRT
sed -n '1,/-A INPUT -m state --state RELATED,ESTABLISHED -j logaccept/p' $SOURCE > $TARGET
echo "# pause default rules $( date ) #####" >> $TARGET
while read portORip proto; do
case $portORip in
[0-9]*.*) # CIDR blocks ###
if [ "$proto" == "tcp" ]; then
# AWS droppings
# SRC=184.73.158.154 TTL=235 DF PROTO=TCP SPT=443 ACK=0 RES=0x00 RST
echo "-A INPUT -s $portORip -p $proto --sport 443 -j REJECT --reject-with tcp-reset" >> $TARGET
else
# normal CIDR
echo "-A INPUT -s $portORip -j DROP" >> $TARGET
fi
;;
[0-9]*) # PORTS ###
if [ "$proto" == "tcp" ]; then tag="tcp-reset"; else tag="icmp-port-unreachable"; fi
echo "-A INPUT -p $proto --dport $portORip -j REJECT --reject-with $tag" >> $TARGET
;;
*) # not 'N.N.N.N/N [tcp|udp]' and not 'NNNNN tcp|udp'
continue
;;
esac
CCNT=$(( CCNT+1 ))
done < $BLOCKS
echo "# resume default rules #####" >> ipt.cidr
# edit exit point if you know iptables better than DD-WRT
sed -n '/-A INPUT -i vlan2 -p udp --sport 67 --dport 68 -j logaccept/,$ p' $SOURCE >> $TARGET
echo $CCNT rules added
wc $SOURCE $TARGET
if [ "$OK" == "not yet" ]; then
echo $OK
else
iptables-restore $TARGET || startservice firewall
fi |
Code: | # port block format:
1433 tcp
23 tcp
# AWS droppings format:
34.192.0.0/10 tcp
52.0.0.0/11 tcp
# normal CIDR block format
141.0.0.0/8
151.0.0.0/8
107.192.0.0/11
|
All blocks sourced from sorting by ip address and/or dest. port and/or source port in my own logs.
Cheers,
Asus RT-N66U
Firmware Version: DD-WRT v3.0-r34311 mega (12/29/17)
Kernel Version: Linux 3.10.108 #17154 Fri Dec 29 10:44:11 CET 2017 mips |
|