iptables as documentation

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
arpadf78
DD-WRT Novice


Joined: 01 Jan 2021
Posts: 7

PostPosted: Mon Apr 25, 2022 10:51    Post subject: iptables as documentation Reply with quote
Router: netgear r7800
Build: r48540

=====================================================
Setup -> Basic Setup
=====================================================

# Forced DNS Redirection
iptables -t nat -A DNAT -i br0 -p udp --dport 53 -j DNAT --to-destination ${BR0_IP}
iptables -t nat -A DNAT -i br0 -p tcp --dport 53 -j DNAT --to-destination ${BR0_IP}

=====================================================
Setup -> Advanced Routing
=====================================================

---- Routing Tables -------------------

# Masquerade Route (NAT): Yes
iptables -t nat -A POSTROUTING -o ppp0 -s ${DEST_LAN_NET} -j SNAT --to-source ${LOCAL_PPP0_IP}

=====================================================
Setup -> Networking
=====================================================

---- Network Configuration oet1 -------

# Multicast forwarding: Enable
iptables -A INPUT -i ppp0 -p igmp -j ACCEPT
iptables -A FORWARD -i ppp0 -p udp -d 224.0.0.0/4 -j ACCEPT
----/Disable
iptables -A INPUT -i ppp0 -p igmp -j logdrop

# Masquerade / NAT: Enable
iptables -t nat -A POSTROUTING -o ppp0 -s ${LOCAL_OET1_IP} -j SNAT --to-source ${LOCAL_PPP0_IP}
iptables -I FORWARD -i oet1 -j lan2wan
# Filter WAN NAT Redirection: Disable
iptables -t nat -A POSTROUTING -o oet1 -m pkttype --pkt-type broadcast -j RETURN
iptables -t nat -A POSTROUTING -o oet1 -s ${LOCAL_OET1_IP} ${LOCAL_OET1_IP} -j MASQUERADE

# Net Isolation
iptables -A INPUT -i oet1 -p udp --dport 67 -j ACCEPT
iptables -A INPUT -i oet1 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i oet1 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i oet1 -m state --state NEW -j logdrop
iptables -I FORWARD -i oet1 -d ${BR0_NET} -m state --state NEW -j logdrop

# Forced DNS Redirection
iptables -t nat -I PREROUTING -i oet1 -m udp --dport 53 -j DNAT --to-destination ${BR0_IP}
iptables -t nat -I PREROUTING -i oet1 -m tcp --dport 53 -j DNAT --to-destination ${BR0_IP}


=====================================================
Setup -> Tunnels
=====================================================

# CVE-2019-14899 Mitigation
iptables -t raw -A PREROUTING ! -i oet1 -d ${LOCAL_OET1_IP} -m addrtype ! --src-type LOCAL -j DROP

# NAT via tunnel: Enable
iptables -t nat -A POSTROUTING -o oet1 -j SNAT --to-source ${LOCAL_OET1_IP}

# Firewall inbound: No
iptables -I INPUT -i oet1 -m state --state NEW -j ACCEPT
iptables -I INPUT -i ppp0 -p udp --dport 51820 -j ACCEPT
iptables -I FORWARD -i oet1 -m state --state NEW -j ACCEPT

# Kill Switch
iptables -I FORWARD -o ppp0 -j REJECT


===========================================================
Security -> Firewall
===========================================================

---- Block WAN Requests ---------------

# Filter WAN NAT Redirection: No
iptables -t nat -A POSTROUTING -o br0 -m pkttype --pkt-type broadcast -j RETURN
iptables -t nat -A POSTROUTING -o br0 -s ${BR0_NET} ${BR0_NET} -j MASQUERADE

---- Impede WAN DoS/Bruteforce --------
# Limit SSH Access
iptables -A logbrute -m recent --set --name BRUTEFORCE --rsource
iptables -A logbrute -m recent ! --update --seconds 60 --hitcount 4 --name BRUTEFORCE --rsource -j RETURN
iptables -A logbrute -m limit --limit 1/min --limit-burst 1 -j RETURN
iptables -A logbrute -j LOG --log-prefix "[DROP BRUTEFORCE] : " --log-tcp-options --log-ip-options
iptables -A logbrute -j logdrop
---- SSH MAnagement: Enable
iptables -A INPUT -i ppp0 -p tcp -d 192.168.2.1 --dport 22 -j logbrute

# Log Level: Medium
iptables -j DROP => iptables -j logdrop

# Log Level: High
iptables -j DROP => iptables -j logdrop
iptables -j ACCEPT => iptables -j logaccept


===========================================================
Security -> VPN Passthrough
===========================================================

# IPSec Passthrough: No
iptables -A FORWARD -o ppp0 -p udp --dport 500 -j DROP

# PPTP Passthrough: Yes
iptables -A FORWARD -o ppp0 -p tcp -s ${BR0_NET} --dport 1723 -j ACCEPT
iptables -A FORWARD -o ppp0 -p gre -s ${BR0_NET} -j ACCEPT
----/No
iptables -A FORWARD -o ppp0 -p tcp --dport 1723 -j DROP

# L2TP Passthrough: No
iptables -A FORWARD -o ppp0 -p tcp --dport 1701 -j DROP


Last edited by arpadf78 on Tue Apr 26, 2022 11:41; edited 1 time in total
Sponsor
arpadf78
DD-WRT Novice


Joined: 01 Jan 2021
Posts: 7

PostPosted: Mon Apr 25, 2022 10:54    Post subject: why? Reply with quote
Since I'm not touching frequently enough the DD-WRT configuration, I'm forgetting which option what it does.

So I started documenting some of the options in the context of the iptables command they generate. I find it very helpful, I'm posting this in case it might be helpful for others.
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1407

PostPosted: Mon Apr 25, 2022 22:12    Post subject: Reply with quote
Just an FYI... depending on what build/router you have the iptables options can be different because some modules are not compiled due to space reasons.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Tue Apr 26, 2022 7:29    Post subject: Re: iptables as documentation Reply with quote
Some of those lines could be set up via GUI options/settings,
as well some of those are very router specific...and router use/mode specific...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
arpadf78
DD-WRT Novice


Joined: 01 Jan 2021
Posts: 7

PostPosted: Tue Apr 26, 2022 11:40    Post subject: Reply with quote
Thanks, for the feedback. I will post my router also along the rules.
_________________
Router: Netgear R7800
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum