SPI Firewall Question + custom IP Tables Rules

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
View previous topic :: View next topic  
Author Message
nashford77
DD-WRT Novice


Joined: 16 Nov 2020
Posts: 2
PostPosted: Sun Mar 10, 2024 20:53    Post subject: SPI Firewall Question + custom IP Tables Rules Reply with quote
Hello, I run my own rules (I have a complex mesh i connect some end clients on DD-WRT to) and the behavior makes so sense of DD-WRT's SPI firewall.... I have my own external rules being applied by commands that work fine 99% but i disabled the SPI firewall as it is of no use to me running my own rules, and it decides to stop remote HTTPS and SSH - lol - "WHY"?

It is not just blocked, even locally on the router its just gone totally if i try to hit it from the external port.

I see it in nvram as being on, this makes 0 sense why it act's so greedily. it should just disable addition of its own rules in iptables vs kill all external services & remove access to things it usually manages seemingly. Why is it taking the "we know best" approach ;0

Here is what i am applying via script and i want it to be authoritative per say. Here is what is is doing.

Applied:

# Default Policy
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Allow established and related connections on all interfaces
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow all input on interfaces other than the WAN
iptables -A INPUT ! -i eth0 -j ACCEPT

# WG USER VPN IN
iptables -A INPUT -i eth0 -p udp -m udp --dport 41001 -j ACCEPT

# WG PEER IN
iptables -A INPUT -i eth0 -p udp -m udp --dport 10002 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 10003 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 10004 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 10005 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 10006 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 10007 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 10008 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 10009 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 10010 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 10055 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 10099 -j ACCEPT

# Other Ports Needed on the WAN
iptables -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 5022 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 5443 -j ACCEPT

# Allow NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Implied by the policy but just for clarity this is added.
iptables -A INPUT -i eth0 -j DROP

Net Effect with SPI off...

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N advgrp_1
-N advgrp_10
-N advgrp_11
-N advgrp_12
-N advgrp_13
-N advgrp_14
-N advgrp_15
-N advgrp_16
-N advgrp_17
-N advgrp_18
-N advgrp_19
-N advgrp_2
-N advgrp_20
-N advgrp_3
-N advgrp_4
-N advgrp_5
-N advgrp_6
-N advgrp_7
-N advgrp_8
-N advgrp_9
-N grp_1
-N grp_10
-N grp_11
-N grp_12
-N grp_13
-N grp_14
-N grp_15
-N grp_16
-N grp_17
-N grp_18
-N grp_19
-N grp_2
-N grp_20
-N grp_3
-N grp_4
-N grp_5
-N grp_6
-N grp_7
-N grp_8
-N grp_9
-N lan2wan
-N logaccept
-N logdrop
-N logreject
-N trigger_out
-N upnp
-A INPUT -i eth0 -p tcp -m tcp --dport 23 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 41001 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10002 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10003 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10004 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10005 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10006 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10007 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10008 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10009 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10010 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10055 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 10099 -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5022 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5443 -j ACCEPT
-A INPUT -i eth0 -m limit --limit 5/min -j LOG --log-prefix IPV4_Firewall_Disallowed_Port
-A INPUT -i eth0 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j upnp
-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -d 224.0.0.0/4 -i eth0 -p udp -j ACCEPT
-A FORWARD -i eth0 -o br0 -j TRIGGER--trigger-proto --trigger-match 0-0 --trigger-relate 0-0
-A FORWARD -i br0 -j trigger_out
-A FORWARD -i eth0 -o eth1 -j TRIGGER--trigger-proto --trigger-match 0-0 --trigger-relate 0-0
-A FORWARD -i eth1 -j trigger_out
-A FORWARD -i eth1 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o ath0 -j TRIGGER--trigger-proto --trigger-match 0-0 --trigger-relate 0-0
-A FORWARD -i ath0 -j trigger_out
-A FORWARD -i ath0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o ath1 -j TRIGGER--trigger-proto --trigger-match 0-0 --trigger-relate 0-0
-A FORWARD -i ath1 -j trigger_out
-A FORWARD -i ath1 -m state --state NEW -j ACCEPT
-A FORWARD -i br0 -m state --state NEW -j ACCEPT
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A logreject -p tcp -j REJECT --reject-with tcp-reset


Why is is adding all of these un-needed rules + also why is remote access not working just from killing packet inspection, i can not telnet to these ports (5443 and 5022) external, but i can ping ;0 lol it decides to use the ICMP rule at least. I cannot win, if i enable it, it messes up my rules even if i do an insert vs append, i turn it off, my rules work but it kills remote access. SMH ;0 ? #help
Back to top View user's profile Send private message
Sponsor
nashford77
DD-WRT Novice


Joined: 16 Nov 2020
Posts: 2
PostPosted: Mon Mar 11, 2024 2:11    Post subject: update - Post Fiddling Reply with quote
So i tried everything i read on the forums, ref multicast being an issue, i killed every rule it created, nothing worked. IT had the NAT redirect rules in place, none of them work..... YET i port forward the same ports, it adds two more rules , THIS works. Going out on a limb here... something is broken with DD-WRT and SPI ;0

Output of: iptables -t nat -L PREROUTING --line-numbers

Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- anywhere <HIDDEN> tcp dpt:5443 to:192.168.0.1:443
2 DNAT tcp -- anywhere <HIDDEN> tcp dpt:5022 to:192.168.0.1:22
3 DNAT icmp -- anywhere <HIDDEN> to:192.168.0.1
4 DNAT tcp -- anywhere <HIDDEN> tcp dpt:5022 to:192.168.0.1:22
5 DNAT tcp -- anywhere <HIDDEN> tcp dpt:5443 to:0.0.0.0:443
6 TRIGGER all -- anywhere <HIDDEN> TRIGGER type:dnat match:0 relate:0

UMMM... why does a port forward work, EXACT same rules and those rules will not work ? ;0
Back to top View user's profile Send private message
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6440
Location: UK, London, just across the river..
PostPosted: Mon Mar 11, 2024 7:24    Post subject: Reply with quote
First...when you have a question tell us build number and router model, as it make things more clear...

Second looking at your config output...i can see you are running an old build...so update reset and
manually reconfigure...do not load the save file from a different builds..

Disabling SPI firewall always comes with caveats..
Using A instead of I will put rules in a different order...so be careful what you use..
Default IP tables rules cannot be taken down...
In general SPI firewall works ok and you dont need to purge rules and set default policy to DROP as they are already pre set in their own way...
Finally make sure your rules follow the correct syntax...

https://wiki.dd-wrt.com/wiki/index.php/Iptables_command
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum