modifying default firewall w iptables-restore

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
View previous topic :: View next topic  
Author Message
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area
PostPosted: Sun Jan 27, 2019 6:42    Post subject: modifying default firewall w iptables-restore Reply with quote
This is a fully working code fragment from a dynamic firewall script still in development. I'm seeing traditional source patterns shift to distributed VPS with the side effect of diluting effectiveness for old school country blocks. Below is the launch module which adds rules to /tmp/.ipt and restarts the firewall.

Here we see 327 CIDR and port blocks get added to the baseline in 140ms, the firewall completely rebuilt and active in 30ms, e.g., faster than most ping latencies:
Code:
root@dd-wrt:/tmp# time sh ./test.ipt
236 rules added
       89       492      3034 .ipt
      327      2062     12471 ipt.cidr
      416      2554     15505 total
not yet
real   0m 0.14s
user   0m 0.09s
sys   0m 0.07s
root@dd-wrt:/tmp# echo $(( 236 + 89 + 2 ))
327
root@dd-wrt:/tmp# time iptables-restore /tmp/ipt.cidr || startservice firewall
real   0m 0.03s
user   0m 0.03s
sys   0m 0.00s


Code:
#!/bin/sh
# iptables-restore rules injector

OK="not yet"      # launch key

cd /tmp

SOURCE=.ipt      # native DD-WRT firewall
TARGET=ipt.cidr      # DD-WRT + NEW
BLOCKS=rt_block.cidr   # your CIDR/port block list

# edit insert point if you know iptables better than DD-WRT
sed -n '1,/-A INPUT -m state --state RELATED,ESTABLISHED -j logaccept/p' $SOURCE > $TARGET
echo "# pause default rules $( date ) #####"  >> $TARGET

while read portORip proto; do
   case $portORip in
      [0-9]*.*)   # CIDR blocks ###
         if [ "$proto" == "tcp" ]; then
            # AWS droppings
            # SRC=184.73.158.154 TTL=235 DF PROTO=TCP SPT=443 ACK=0 RES=0x00 RST
            echo "-A INPUT -s $portORip -p $proto --sport 443 -j REJECT --reject-with tcp-reset" >> $TARGET
         else
            # normal CIDR
            echo "-A INPUT -s $portORip -j DROP" >> $TARGET
         fi
         ;;
      [0-9]*)      # PORTS ###
         if [ "$proto" == "tcp" ]; then tag="tcp-reset"; else tag="icmp-port-unreachable"; fi
         echo "-A INPUT -p $proto --dport $portORip -j REJECT --reject-with $tag" >> $TARGET
         ;;
      *)      # not 'N.N.N.N/N [tcp|udp]' and not 'NNNNN tcp|udp'
         continue
         ;;
   esac

   CCNT=$(( CCNT+1 ))
done < $BLOCKS

echo "# resume default rules #####" >> ipt.cidr
# edit exit point if you know iptables better than DD-WRT
sed -n '/-A INPUT -i vlan2 -p udp --sport 67 --dport 68 -j logaccept/,$ p' $SOURCE >> $TARGET

echo $CCNT rules added
wc $SOURCE $TARGET

if [ "$OK" == "not yet" ]; then
   echo $OK
else
   iptables-restore $TARGET || startservice firewall
fi

Code:
# port block format:
1433 tcp
23 tcp
# AWS droppings format:
34.192.0.0/10 tcp
52.0.0.0/11 tcp
# normal CIDR block format
141.0.0.0/8
151.0.0.0/8
107.192.0.0/11

All blocks sourced from sorting by ip address and/or dest. port and/or source port in my own logs.

Cheers,

Asus RT-N66U
Firmware Version: DD-WRT v3.0-r34311 mega (12/29/17)
Kernel Version: Linux 3.10.108 #17154 Fri Dec 29 10:44:11 CET 2017 mips
Back to top View user's profile Send private message
Sponsor
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum