[SOLVED] Rules in Firewall commands are duplicated

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
View previous topic :: View next topic  
Author Message
Encephala
DD-WRT Novice


Joined: 02 Oct 2022
Posts: 6
PostPosted: Wed Nov 02, 2022 21:33    Post subject: [SOLVED] Rules in Firewall commands are duplicated Reply with quote
Router: Netgear R7000
Firmware: v3.0-r50308
Kernel: Linux 4.4.302

I have a few rules set in my Firewall commands. These all work as expected, but when I ran
Code:
iptables -L FORWARD -v -n --line-numbers
I noticed that all the rules I implemented are duplicated. After rebooting the router, the duplicated rules persist.
When I empty the list of rules and add them one-by-one, I don't see any duplicated rules. As soon as I put all these rules in the Firewall commands and reboot, the iptables get doubly populated again. It seems like somehow the router is running through this list of commands twice.

Although this is not necessarily a problem because connecting works as expected, it makes reading the iptables more difficult and I'd rather fix this before it becomes a problem.

Here is the output of the above iptables command. Note the duplicate rules for line 1-9 and 10-18. Interestingly, rules 16 and 17 (those allowing communication between vlans and wan) have caught some traffic, although rules 7 and 8 above are exactly the same.

Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       98 56120 ACCEPT     tcp  --  vlan3  br0     0.0.0.0/0            0.0.0.0/0            multiport dports 22,80,443,8006,8443,8080,8081
2        0     0 ACCEPT     all  --  *      *       10.0.49.0/24         10.0.50.0/24
3       25  1583 ACCEPT     udp  --  *      *       10.0.0.0/8           10.0.50.99           udp dpt:53
4        0     0 ACCEPT     tcp  --  *      *       10.0.0.0/8           10.0.50.99           tcp dpt:53
5       21  4375 ACCEPT     tcp  --  *      *       10.0.51.0/24         10.0.50.10           multiport dports 139,445
6        0     0 ACCEPT     tcp  --  *      *       10.0.0.0/8           10.0.50.10           multiport dports 5000,5001
7      407  280K ACCEPT     all  --  vlan2  vlan+   0.0.0.0/0            0.0.0.0/0
8      331 92372 ACCEPT     all  --  vlan+  vlan2   0.0.0.0/0            0.0.0.0/0
9        0     0 DROP       all  --  vlan+  vlan+   0.0.0.0/0            0.0.0.0/0
10       0     0 ACCEPT     tcp  --  vlan3  br0     0.0.0.0/0            0.0.0.0/0            multiport dports 22,80,443,8006,8443,8080,8081
11       0     0 ACCEPT     all  --  *      *       10.0.49.0/24         10.0.50.0/24
12       6   407 ACCEPT     udp  --  *      *       10.0.0.0/8           10.0.50.99           udp dpt:53
13       0     0 ACCEPT     tcp  --  *      *       10.0.0.0/8           10.0.50.99           tcp dpt:53
14       0     0 ACCEPT     tcp  --  *      *       10.0.51.0/24         10.0.50.10           multiport dports 139,445
15       0     0 ACCEPT     tcp  --  *      *       10.0.0.0/8           10.0.50.10           multiport dports 5000,5001
16      93 77958 ACCEPT     all  --  vlan2  vlan+   0.0.0.0/0            0.0.0.0/0
17      85 15943 ACCEPT     all  --  vlan+  vlan2   0.0.0.0/0            0.0.0.0/0
18       0     0 DROP       all  --  vlan+  vlan+   0.0.0.0/0            0.0.0.0/0
19       0     0 DROP       all  --  eth1   *       0.0.0.0/0            10.0.50.0/24         state NEW


(rules below 18 are auto-generated by DD-WRT and are left out).

Here are the Firewall commands that generate the rules:
Code:
iptables -I FORWARD -i vlan+ -o vlan+ -j DROP
iptables -I FORWARD -i vlan+ -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan+ -j ACCEPT

iptables -I FORWARD -d 10.0.50.10/32 -s 10.0.0.0/8 -p tcp -m multiport --dports 5000,5001 -j ACCEPT
iptables -I FORWARD -s 10.0.51.0/24 -d 10.0.50.10 -p tcp -m multiport --dports 139,445 -j ACCEPT

iptables -I FORWARD -d 10.0.50.99/32 -s 10.0.0.0/8 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -d 10.0.50.99/32 -s 10.0.0.0/8 -p udp --dport 53 -j ACCEPT

iptables -I FORWARD -d 10.0.50.0/24 -s 10.0.49.0/24 -j ACCEPT # is this necessary?

iptables -I INPUT -i vlan3 -p tcp -m multiport --dports 22,80 -j ACCEPT
iptables -I FORWARD -i vlan3 -o br0 -p tcp -m multiport --dports 22,80,443,8006,8443,8080,8081 -j ACCEPT



Has anybody seen this before? Any clue as to how I can fix it, or can you convince me that I should just accept it? Smile
Back to top View user's profile Send private message
Sponsor
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2979
Location: Germany
PostPosted: Thu Nov 03, 2022 7:38    Post subject: Reply with quote
Just ignore it as it is not functionally relevant.
Otherwise you can delete the rules before creating them.


iptables -D FORWARD -i vlan+ -o vlan+ -j DROP
iptables -I FORWARD -i vlan+ -o vlan+ -j DROP

This prevents rules from being created multiple times
Back to top View user's profile Send private message
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1857
Location: Hung Hom, Hong Kong
PostPosted: Thu Nov 03, 2022 11:24    Post subject: Re: [SOLVED] Rules in Firewall commands are duplicated Reply with quote
Encephala wrote:
Although this is not necessarily a problem because connecting works as expected, it makes reading the iptables more difficult and I'd rather fix this before it becomes a problem.

Here is the output of the above iptables command. Note the duplicate rules for line 1-9 and 10-18. Interestingly, rules 16 and 17 (those allowing communication between vlans and wan) have caught some traffic, although rules 7 and 8 above are exactly the same.

The firewall script is always started multiple times, sometimes 2 instances running at the same time! That might explain duplicates.

DD-WRT :: View topic - New Build - 10/13/2022 - r50500
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=333118&start=2

You might consider moving your custom iptables rules to the startup script, which is always executed once after the firewall script.

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
Back to top View user's profile Send private message Send e-mail Visit poster's website
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2979
Location: Germany
PostPosted: Thu Nov 03, 2022 12:25    Post subject: Reply with quote
this is a very bad idea
The firewall is executed after startup and overwrites firewall rules in startup
that's why we moved all the rules to the firewall a long time ago
Back to top View user's profile Send private message
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1857
Location: Hung Hom, Hong Kong
PostPosted: Thu Nov 03, 2022 12:34    Post subject: Reply with quote
ho1Aetoo wrote:
this is a very bad idea
The firewall is executed after startup and overwrites firewall rules in startup
that's why we moved all the rules to the firewall a long time ago

Well, if startup script was not the right place, then fall back further to USB script. My suggestion was to prevent multiple instances of the firewall script. Smile

I assumed that you were calling the iptables command to add rules, not using iptables-save and iptables-restore.

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
Back to top View user's profile Send private message Send e-mail Visit poster's website
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs
PostPosted: Thu Nov 03, 2022 13:45    Post subject: Reply with quote
startup script is a terrible place for these, because soon as you configure something in UI and click apply all services restart and what is startup is ignored.

The proper advice has been given by ho1Aetoo.
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Back to top View user's profile Send private message Visit poster's website
Encephala
DD-WRT Novice


Joined: 02 Oct 2022
Posts: 6
PostPosted: Thu Nov 03, 2022 15:02    Post subject: Reply with quote
Thanks holAetoo, that would work yeah.
Slightly janky solution for a janky problem, works for me.

Thanks all!
Back to top View user's profile Send private message
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1857
Location: Hung Hom, Hong Kong
PostPosted: Fri Nov 04, 2022 10:18    Post subject: Reply with quote
ho1Aetoo wrote:
this is a very bad idea
The firewall is executed after startup and overwrites firewall rules in startup
that's why we moved all the rules to the firewall a long time ago

Today I did a trace of the repeated /tmp/.rc_firewall execution using PID and found that they had never overlapped with each other.
Code:
:~# grep changmw /var/log/messages
Jan  1 08:00:19 rt-n18u user.notice root: changmw: starting /tmp/.rc_firewall (1022)
Jan  1 08:00:20 rt-n18u user.notice root: : changmw exiting /tmp/.rc_firewall (1022)
Jan  1 08:00:29 rt-n18u user.notice root: changmw: starting /tmp/.rc_firewall (1671)
Jan  1 08:00:30 rt-n18u user.notice root: : changmw exiting /tmp/.rc_firewall (1671)
Nov  4 18:14:29 rt-n18u user.notice inadyn[1954]: Update forced for alias changmw.ddns.net, new IP# 110.235.6.142
Nov  4 18:14:30 rt-n18u user.notice inadyn[1954]: Updating cache for changmw.ddns.net
Nov  4 18:14:31 rt-n18u user.notice root: changmw: starting /tmp/.rc_firewall (2317)
Nov  4 18:14:32 rt-n18u user.notice root: : changmw exiting /tmp/.rc_firewall (2317)
Nov  4 18:14:36 rt-n18u user.notice root: changmw: starting /tmp/.rc_startup (2789)
Nov  4 18:14:37 rt-n18u user.notice root: : changmw exiting /tmp/.rc_startup (2789)
Nov  4 18:14:40 rt-n18u user.notice root: changmw: starting /tmp/.rc_usb
Nov  4 18:14:40 rt-n18u user.notice root: changmw: starting /tmp/.rc_usb
Nov  4 18:14:40 rt-n18u user.notice root: changmw: .rc_usb already started
Nov  4 18:14:42 rt-n18u user.notice root: : changmw exiting /tmp/.rc_usb

Modified the scripts and tried again. This time the startup script overlapped with USB script. Firewall script execution still had no overlap.
Code:

Jan  1 08:00:19 rt-n18u user.notice root: changmw[1018]: starting /tmp/.rc_firewall
Jan  1 08:00:20 rt-n18u user.notice root: changmw[1018]: exiting /tmp/.rc_firewall
Jan  1 08:00:29 rt-n18u user.notice root: changmw[1627]: starting /tmp/.rc_firewall
Jan  1 08:00:30 rt-n18u user.notice root: changmw[1627]: exiting /tmp/.rc_firewall
Nov  4 19:51:34 rt-n18u user.warn inadyn[2025]: Failed resolving hostname changmw.ddns.net: Try again
Nov  4 19:51:35 rt-n18u user.notice inadyn[2025]: Update forced for alias changmw.ddns.net, new IP# 110.235.6.142
Nov  4 19:51:38 rt-n18u user.notice root: changmw[2671]: starting /tmp/.rc_firewall
Nov  4 19:51:39 rt-n18u user.notice inadyn[2025]: Updating cache for changmw.ddns.net
Nov  4 19:51:39 rt-n18u user.notice root: changmw[2671]: exiting /tmp/.rc_firewall
Nov  4 19:51:45 rt-n18u user.notice root: changmw[3305]: starting /tmp/.rc_startup
Nov  4 19:51:46 rt-n18u user.notice root: changmw: starting /tmp/.rc_usb
Nov  4 19:51:46 rt-n18u user.notice root: changmw: starting /tmp/.rc_usb
Nov  4 19:51:46 rt-n18u user.notice root: changmw: .rc_usb already started
Nov  4 19:51:46 rt-n18u user.notice root: changmw[3305]: exiting /tmp/.rc_startup

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw

Last edited by mwchang on Fri Nov 04, 2022 11:58; edited 3 times in total
Back to top View user's profile Send private message Send e-mail Visit poster's website
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2979
Location: Germany
PostPosted: Fri Nov 04, 2022 11:00    Post subject: Reply with quote
no idea what i should see there...
with me it looks like this

Jan 1 01:00:59 DD-WRT user.notice root: firewall
Jan 1 01:01:01 DD-WRT user.notice root: firewall
Jan 1 01:01:08 DD-WRT user.notice root: firewall
Jan 1 01:01:08 DD-WRT user.notice root: startup
Jan 1 01:01:09 DD-WRT user.notice root: firewall
Nov 4 11:56:27 DD-WRT user.notice root: firewall
Nov 4 11:56:28 DD-WRT user.notice root: firewall
Back to top View user's profile Send private message
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1857
Location: Hung Hom, Hong Kong
PostPosted: Fri Nov 04, 2022 11:41    Post subject: Reply with quote
ho1Aetoo wrote:
no idea what i should see there...
with me it looks like this

Jan 1 01:00:59 DD-WRT user.notice root: firewall
Jan 1 01:01:01 DD-WRT user.notice root: firewall
Jan 1 01:01:08 DD-WRT user.notice root: firewall
Jan 1 01:01:08 DD-WRT user.notice root: startup
Jan 1 01:01:09 DD-WRT user.notice root: firewall
Nov 4 11:56:27 DD-WRT user.notice root: firewall
Nov 4 11:56:28 DD-WRT user.notice root: firewall

Are you using VPN? The 3 firewall entries after startup might be related. I don't use VPN.

BTW, it's interesting that we both had 3 firewall entries before startup.
_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
Back to top View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum