How to best lockdown router with iptables

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
inetquestion
DD-WRT User


Joined: 24 Sep 2015
Posts: 67

PostPosted: Mon Jan 30, 2023 20:49    Post subject: How to best lockdown router with iptables Reply with quote
Is there a list of FW rules which can be added to iptables to bolster security. Would like to lock it down much more than the check boxes provided within the gui.

Running version r51506 on linksys wrt3200acm...

Objectives
1. Detect/block port scanning, permanently block offenders.
2. Bolster iptables rules to block known attacks.
3. Other use cases?


Where should I look first to make progress? Took a look at FWBuilder, but still not sure if this covers "what" I should be doing to add additional protection.
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Jan 30, 2023 22:16    Post subject: Reply with quote
1. Detect/block port scanning, permanently block offenders - in the standard DDWRT environment that is provided out of the box...you have to manually do that...otherwise, you'd need and extra package..like snort, suricata, fail2ban and ect.

Im not sure if this rule will work, as some of the iptables modules are not present on every router or even at all..
iptables -I FORWARD -m recent --name portscan --rcheck --seconds 8640 -j DROP

2. Bolster iptables rules to block known attacks. - many firewalling rules are available online google iptables firewall linux and ect..

3. Other use cases? - what other cases ??? Rolling Eyes Cool Laughing

In general, SPI firewall that comes with DDWRT works well as a standard SPI it will allow any established and related connections, that are already coming from inside and will block anything else that is not related or try's to make a new connection... google SPI firewall Wink

I guess on your router, there will be IPset support and those are more robust, fast and less resource taking than iptables, with both you have some powerful stuff to do more... more on IPset read the egc excellent guide from sticky's https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261

Also the practice i have is to disable telnet(which is enabled by default), lock the router GUI WEB interface, and only allow GUI only when i need it...to do that i log in via SSh with secure file key only (disable password SSh login), and manually add iptables permit rules...usually mac or IP based.

And form security page limit SSh, and other access, this will impose rules that will permit few attempts time based...

Also don not use remote administration over the WAN, unless you know what you are doing...best practice for that is to use Wireguard or VPN or SSh only...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum