Understanding the default iptables ruleset

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
leftishness
DD-WRT Novice


Joined: 19 Oct 2017
Posts: 4

PostPosted: Thu Apr 09, 2020 23:35    Post subject: Understanding the default iptables ruleset Reply with quote
I'm having trouble making edits to iptables because my rules are interfering with existing rules. To make matters worse, unless I use some jffs wizardry, I cannot edit the stock ruleset, only the live rules in NVRAM. Even this would be ok, however, except for the fact that editing existing rules requires one to first understand those rules. This is the problem I've been having.

This is the output of 'cat /tmp/.ipt'

Code:
*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i ! vlan2 -d x.x.x.x -j MARK --set-mark 0x80000000/0x80000000
-A PREROUTING -j CONNMARK --save-mark
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p icmp -d x.x.x.x -j DNAT --to-destination 192.168.1.1
-A PREROUTING -d x.x.x.x -j TRIGGER --trigger-type dnat
-A POSTROUTING -s 192.168.1.1/24 -o vlan2 -j SNAT --to-source x.x.x.x
-A POSTROUTING -s 192.168.3.1/24 -o vlan2 -j SNAT --to-source x.x.x.x
-A POSTROUTING -s 192.168.4.1/24 -o vlan2 -j SNAT --to-source x.x.x.x
-A POSTROUTING -m mark --mark 0x80000000/0x80000000 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:trigger_out - [0:0]
:lan2wan - [0:0]
:grp_1 - [0:0]
:advgrp_1 - [0:0]
:grp_2 - [0:0]
:advgrp_2 - [0:0]
:grp_3 - [0:0]
:advgrp_3 - [0:0]
:grp_4 - [0:0]
:advgrp_4 - [0:0]
:grp_5 - [0:0]
:advgrp_5 - [0:0]
:grp_6 - [0:0]
:advgrp_6 - [0:0]
:grp_7 - [0:0]
:advgrp_7 - [0:0]
:grp_8 - [0:0]
:advgrp_8 - [0:0]
:grp_9 - [0:0]
:advgrp_9 - [0:0]
:grp_10 - [0:0]
:advgrp_10 - [0:0]
:grp_11 - [0:0]
:advgrp_11 - [0:0]
:grp_12 - [0:0]
:advgrp_12 - [0:0]
:grp_13 - [0:0]
:advgrp_13 - [0:0]
:grp_14 - [0:0]
:advgrp_14 - [0:0]
:grp_15 - [0:0]
:advgrp_15 - [0:0]
:grp_16 - [0:0]
:advgrp_16 - [0:0]
:grp_17 - [0:0]
:advgrp_17 - [0:0]
:grp_18 - [0:0]
:advgrp_18 - [0:0]
:grp_19 - [0:0]
:advgrp_19 - [0:0]
:grp_20 - [0:0]
:advgrp_20 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i vlan2 -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p udp -i vlan2 --dport 520 -j DROP
-A INPUT -p udp -i br0 --dport 520 -j DROP
-A INPUT -p udp --dport 520 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i vlan2 -p icmp -j DROP
-A INPUT -p igmp -j DROP
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i vlan3 -j ACCEPT
-A INPUT -i vlan4 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o br0 -j ACCEPT
-A FORWARD -i vlan3 -j lan2wan
-A FORWARD -i vlan4 -j lan2wan
-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i br0 -o vlan2 -j ACCEPT
-I FORWARD -o vlan2 -s 192.168.1.1/24 -p tcp --dport 1723 -j ACCEPT
-I FORWARD -o vlan2 -s 192.168.1.1/24 -p gre -j ACCEPT
-A FORWARD -i vlan2 -o br0 -j TRIGGER --trigger-type in
-A FORWARD -i br0 -j trigger_out
-A FORWARD -i vlan2 -o eth0 -j TRIGGER --trigger-type in
-A FORWARD -i eth0 -j trigger_out
-A FORWARD -i eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i vlan2 -o eth1 -j TRIGGER --trigger-type in
-A FORWARD -i eth1 -j trigger_out
-A FORWARD -i eth1 -m state --state NEW -j ACCEPT
-A FORWARD -i vlan2 -o eth2 -j TRIGGER --trigger-type in
-A FORWARD -i eth2 -j trigger_out
-A FORWARD -i eth2 -m state --state NEW -j ACCEPT
-A FORWARD -i vlan2 -o vlan1 -j TRIGGER --trigger-type in
-A FORWARD -i vlan1 -j trigger_out
-A FORWARD -i vlan1 -m state --state NEW -j ACCEPT
-A FORWARD -i vlan2 -o vlan3 -j TRIGGER --trigger-type in
-A FORWARD -i vlan3 -j trigger_out
-A FORWARD -i vlan3 -m state --state NEW -j ACCEPT
-A FORWARD -i vlan2 -o vlan4 -j TRIGGER --trigger-type in
-A FORWARD -i vlan4 -j trigger_out
-A FORWARD -i vlan4 -m state --state NEW -j ACCEPT
-A FORWARD -i br0 -m state --state NEW -j ACCEPT
-A FORWARD -j DROP
-I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A logaccept -j ACCEPT
-A logdrop -m state --state INVALID -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A logreject -p tcp -j REJECT --reject-with tcp-reset
COMMIT


When I showed this to #Netfilter, they just about lost their minds. No one had anything useful to say about this. I've spent hours on it and can't understand it. Can someone please explain, in clear, formatted, detailed English, what this is and how it works?


Last edited by leftishness on Fri Apr 10, 2020 12:34; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Fri Apr 10, 2020 6:06    Post subject: Reply with quote
It is a configuration file for the iptables, you do not mess with that (well you could but it is not permanent (you could of course make a link to jffs set your own file there and restart the firewall)

You enter your own iptables rules in Administration/Commands Save as firewall.

This will be executed as last (there are a few exceptions regarding OpenVPN and WireGuard) so that you can delete existing rules or insert your own chains and/or enter your own rules in the "normal" way

To see the iptables rules in action just use normal commands from the CLI.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
leftishness
DD-WRT Novice


Joined: 19 Oct 2017
Posts: 4

PostPosted: Fri Apr 10, 2020 12:45    Post subject: Reply with quote
Quote:
It is a configuration file for the iptables, you do not mess with that


So, I've set up vlan3 and vlan4 as separate subnets (192.168.3.1 and 192.168.4.1, respectively). Right now, I'm trying to control that traffic and the rules that I add via cli or the [Admin] > [Command] tab don't seem to be reflected well in the traffic after they are set. So, I think my rules are interfering with the existing rules. To set good rules, I need to understand the existing ruleset. I don't have to 'mess with' them but I at least need to be able to work around them so that I don't accidentally break something or create a gaping security hole. I need to understand the existing ruleset, not edit it.

Do you know of a good, step-by-step walkthrough of the default ruleset?

egc wrote:
(you could of course make a link to jffs set your own file there and restart the firewall)


I haven't been able to find good, updated, step-by-step instructions on this. Do you know where I could find some?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Fri Apr 10, 2020 13:04    Post subject: Reply with quote
executing commands via Administration /'commands does not work well, it spawns a process and special character need to be escaped.

You better use the CLI (putty/telnet)

Then you can see all the iptables just by doing things like:
iptables -vnL
iptables -vnL -t nat

Controlling VLANS, you have made, can be done from the interface, you can enable net isolation on the interface which will isolate the interface from br0 (and vice versa) and from the router itself.

If that is not enough you have to create your own rules and save them in Administration/Commands and save firewall (test them first from the CLI if you lock yourself out you can just reboot).

There is no working around or interfering you can just add your own firewall rules as they will be executed first (if you insert them) and thus override existing firewall rules.

If you are asking for a crash course in iptables then have a look at the wiki: https://wiki.dd-wrt.com/wiki/index.php/Iptables

or have a look here: https://pastebin.com/1df1XsuK

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
leftishness
DD-WRT Novice


Joined: 19 Oct 2017
Posts: 4

PostPosted: Fri Apr 10, 2020 17:01    Post subject: Reply with quote
The people at #Netfilter can't make sense of this firewall. They said this is the most confusing, insane ruleset they've ever seen.

If no one can explain the firewall, people shouldn't be using dd-wrt because the devs either don't know what they're doing or aren't transparent enough to explain their security.

Can someone explain this firewall??
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Fri Apr 10, 2020 18:07    Post subject: Reply with quote
leftishness wrote:
The people at #Netfilter can't make sense of this firewall. They said this is the most confusing, insane ruleset they've ever seen.

If no one can explain the firewall, people shouldn't be using dd-wrt because the devs either don't know what they're doing or aren't transparent enough to explain their security.

Can someone explain this firewall??


it is standard IP stuff nothing wrong with it you can view and set the iptables with the standard linux iptables command ( https://linux.die.net/man/8/iptables).

If you want some more reading about how to setup a firewall see: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=2ahUKEwjH1Lbztt7oAhUIy6QKHQVKAX8QFjAJegQIAhAB&url=http%3A%2F%2Findex-of.co.uk%2FTutorials%2FSecure%2520Your%2520Network%2520For%2520Free.pdf&usg=AOvVaw1Klib3UckYvGF8GMBFDamy

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Fri Apr 10, 2020 23:31    Post subject: Reply with quote
leftishness wrote:
Can someone explain this firewall?

@egc is being quite polite here, but I'll be a touch less so and point out that it is not really appropriate to come to the forum and post message after message that basically assigns writing a chapter as homework for others to complete. This forum is just volunteers, other users, not a paid professional support staff. You need to back off.

That said, the real answer to your question is to learn something about iptables - there are many tutorials online - and start figuring out pieces of the configuration yourself, as you need to understand different aspects of things. It's way too much to expect to understand the whole thing all at once.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1407

PostPosted: Sat Apr 11, 2020 16:12    Post subject: Reply with quote
The Netfilter group looks at it from only their point of view. They have created a tool that is open for many interpretations/options. If they want to have the system created using only a certain way, then they should make their code that way.

I personally have seen some worse ones in default linux installations. Or even look at some of the automatically generated ones.

A few things to note is that the setup is non-standard (ie virtual interfaces/tunnels ...). Yes there are some redundant rules, or ones that are not needed unless certain features are enabled.


You are always free to flush all of the rules and change the defaults to what you want.


Setting up a basic nat firewall takes all of 5 minutes.
Masquerade
Accept only known connections
drop everything else

I have done this in like 3 rules.


I would help, but I do not understand what you are trying to do.


To answer your original question, Yes I can explain, in clear, formatted, detailed English, what the firewall is and how it works. But I can tell you have changed from the defaults, and so I am not sure what you are doing is what you intended.

I also think that you are modifying the .ipt file, which means you are not using the intended way to modify the firewall.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum