So, I was wondering if I did this firewall script right (if it works)?
Does it work even if cut-through forwarding (nvram set et_dispatch_mode=1) is used?
Also wondering if I had omitted any typical attack ports from the list?
Definition of "attack ports": handy on the lan, disaster on the wan.
Thanks!
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Fri Jul 27, 2018 10:36 Post subject:
if multiport persist on your version of iptables couse most
of the commands/variables are stripped off yep this is the correct syntax
otherwise in my case i use one line each port as well you can use dport and sport destination...
kind of iptables i use
iptables -I FORWARD -p tcp --dport 25 -j DROP _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I was wondering if this one works:
iptables -I FORWARD -p tcp --dport 16991:16995 -j DROP
Is that correct for a range of ports?
P.S. It is a port range of Intel AMT/MEI, a networked x86 inside the chipset, which is extremely difficult to secure, except for simply blocking the port range at the router.
Last edited by danielwritesback on Mon Jul 30, 2018 4:36; edited 1 time in total
Fortunately, luck worked. With the following overly verbose firewall script, the lan light isn't flashing like mad when the wan light does.
Also, it seems that iptables isn't either as quirky or cpu intensive as the GUI access restriction page.
With the 4 options, tcp, udp, dport, sport, it looks like I may have numerous extras. But, that's the question--which lines are extraneous? How do I determine that?
iptables -I FORWARD -p tcp --dport 113 -j DROP
iptables -I FORWARD -p tcp --sport 113 -j DROP
iptables -I FORWARD -p tcp --dport 135 -j DROP
iptables -I FORWARD -p udp --dport 135 -j DROP
iptables -I FORWARD -p tcp --sport 135 -j DROP
iptables -I FORWARD -p udp --sport 135 -j DROP
iptables -I FORWARD -p udp --dport 137 -j DROP
iptables -I FORWARD -p udp --sport 137 -j DROP
iptables -I FORWARD -p udp --dport 138 -j DROP
iptables -I FORWARD -p udp --sport 138 -j DROP
iptables -I FORWARD -p tcp --dport 139 -j DROP
iptables -I FORWARD -p tcp --sport 139 -j DROP
iptables -I FORWARD -p tcp --dport 445 -j DROP
iptables -I FORWARD -p udp --dport 445 -j DROP
iptables -I FORWARD -p tcp --sport 445 -j DROP
iptables -I FORWARD -p udp --sport 445 -j DROP
iptables -I FORWARD -p tcp --dport 623 -j DROP
iptables -I FORWARD -p udp --dport 623 -j DROP
iptables -I FORWARD -p tcp --sport 623 -j DROP
iptables -I FORWARD -p udp --sport 623 -j DROP
iptables -I FORWARD -p tcp --dport 664 -j DROP
iptables -I FORWARD -p udp --dport 664 -j DROP
iptables -I FORWARD -p tcp --sport 664 -j DROP
iptables -I FORWARD -p udp --sport 664 -j DROP
iptables -I FORWARD -p udp --dport 1900 -j DROP
iptables -I FORWARD -p udp --sport 1900 -j DROP
iptables -I FORWARD -p tcp --dport 3702 -j DROP
iptables -I FORWARD -p udp --dport 3702 -j DROP
iptables -I FORWARD -p tcp --sport 3702 -j DROP
iptables -I FORWARD -p udp --sport 3702 -j DROP
iptables -I FORWARD -p udp --dport 5355 -j DROP
iptables -I FORWARD -p udp --sport 5355 -j DROP
iptables -I FORWARD -p tcp --dport 5357 -j DROP
iptables -I FORWARD -p udp --dport 5357 -j DROP
iptables -I FORWARD -p tcp --sport 5357 -j DROP
iptables -I FORWARD -p udp --sport 5357 -j DROP
iptables -I FORWARD -p tcp --dport 5358 -j DROP
iptables -I FORWARD -p udp --dport 5358 -j DROP
iptables -I FORWARD -p tcp --sport 5358 -j DROP
iptables -I FORWARD -p udp --sport 5358 -j DROP
iptables -I FORWARD -p tcp --dport 5900 -j DROP
iptables -I FORWARD -p udp --dport 5900 -j DROP
iptables -I FORWARD -p tcp --sport 5900 -j DROP
iptables -I FORWARD -p udp --sport 5900 -j DROP
iptables -I FORWARD -p tcp --dport 9971 -j DROP
iptables -I FORWARD -p udp --dport 9971 -j DROP
iptables -I FORWARD -p tcp --sport 9971 -j DROP
iptables -I FORWARD -p udp --sport 9971 -j DROP
iptables -I FORWARD -p tcp --dport 16992 -j DROP
iptables -I FORWARD -p udp --dport 16992 -j DROP
iptables -I FORWARD -p tcp --sport 16992 -j DROP
iptables -I FORWARD -p udp --sport 16992 -j DROP
iptables -I FORWARD -p tcp --dport 16993 -j DROP
iptables -I FORWARD -p udp --dport 16993 -j DROP
iptables -I FORWARD -p tcp --sport 16993 -j DROP
iptables -I FORWARD -p udp --sport 16993 -j DROP
iptables -I FORWARD -p tcp --dport 16994 -j DROP
iptables -I FORWARD -p udp --dport 16994 -j DROP
iptables -I FORWARD -p tcp --sport 16994 -j DROP
iptables -I FORWARD -p udp --sport 16994 -j DROP
iptables -I FORWARD -p tcp --dport 16995 -j DROP
iptables -I FORWARD -p udp --dport 16995 -j DROP
iptables -I FORWARD -p tcp --sport 16995 -j DROP
iptables -I FORWARD -p udp --sport 16995 -j DROP
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Mon Jul 30, 2018 10:09 Post subject:
dport - desrination port
sport - source port
so far those look like serious blocking that you are aimed for
to test if they are working type this via telnet or ssh
iptables -vnL FORWARD
look for any hits than zero (0)
of corse there might be none if
there is no activity on those blocked ports _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
This one works.
Multiport has a limit of 15 ports per line. So, here's 15 of the remote control ports blocked (ssh,tlnt smb, mei, rdp, vnc, upnp, amt). See also: https://www.speedguide.net/port.php?port=22 I like their graphs.
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Wed Sep 05, 2018 11:11 Post subject:
well, if you have an app or services using those ports
from your lan side than router will initiate those
connection that are using those ports,
so filering those ports will prevent those connections
apps or services will not be able to connect on those
ports than those rules mean something _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Blocking ports at YOUR router is not going to prevent someone from DDoS flooding you...
Attracting less attention can prevent DDoS floods. And, IOT's + Windows 10 = lots of strangers using my Lan; thus, new firewall stuff that we didn't need in the past.
Alozaros wrote:
well, if you have an app or services using those ports...
Good information! I found the compromised computer, an off-lease Dell refurb that was broadcasting while it was off, and then repaired it.
Edit:
Since then, also purchased some IOT radios, and sure enough needed more lan-side firewall commands. Connlimit, this time. Although some port blocking helps too.
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Fri Feb 21, 2020 16:14 Post subject:
what router model and current build ??
on some routers/models, multiport is not present....
what those 2 does show?
iptables -t nat -vnL
iptables -t mangle -vnL _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I am unclear on what your intention is but based on what you have, I think it should work. It should filter ALL of the traffic from those source ports (in/out/forward, all networks). By default, NAT would automatically do some of what you are thinking
I am not sure that the PREROUTING table is the best to use for what you are intending... but a suggestion would be to create a separate chain with those rules:
Code:
iptables -N MYFILTER
iptables -A MYFILTER -p tcp -m multiport --sport 22,23,134,135,136,137,138,139,445,623,3389,5357,5358,5900,9971 -j DROP
iptables -A MYFILTER -p udp -m multiport --sport 22,23,134,135,136,137,138,139,445,623,3702,5355,5900,9971 -j DROP
iptables -A MYFILTER -p tcp -m multiport --sport 593,1433,1434,1900,5000,5631,5632,6666,65301 -j DROP
iptables -A MYFILTER -p udp -m multiport --sport 593,1433,1434,1900,5000,5631,5632,6666,65301 -j DROP
then on INPUT, OUTPUT and FORWARD chains put the ones you want.
Remember:
INPUT is traffic directed TO the router (LAN or WAN side)
OUTPUT is traffic FROM the router (LAN or WAN)
FORWARD is traffic passing THROUGH the machine (WAN->LAN, LAN->WAN)
I am unclear on what your intention is but based on what you have, I think it should work. It should filter ALL of the traffic from those source ports (in/out/forward, all networks). By default, NAT would automatically do some of what you are thinking
I am not sure that the PREROUTING table is the best to use for what you are intending... but a suggestion would be to create a separate chain with those rules:
Code:
iptables -N MYFILTER
iptables -A MYFILTER -p tcp -m multiport --sport 22,23,134,135,136,137,138,139,445,623,3389,5357,5358,5900,9971 -j DROP
iptables -A MYFILTER -p udp -m multiport --sport 22,23,134,135,136,137,138,139,445,623,3702,5355,5900,9971 -j DROP
iptables -A MYFILTER -p tcp -m multiport --sport 593,1433,1434,1900,5000,5631,5632,6666,65301 -j DROP
iptables -A MYFILTER -p udp -m multiport --sport 593,1433,1434,1900,5000,5631,5632,6666,65301 -j DROP
then on INPUT, OUTPUT and FORWARD chains put the ones you want.
Remember:
INPUT is traffic directed TO the router (LAN or WAN side)
OUTPUT is traffic FROM the router (LAN or WAN)
FORWARD is traffic passing THROUGH the machine (WAN->LAN, LAN->WAN)
Thanks for the replies.
I just want to lock-down the ports listed in and out and crafted my own lines following the OP's method.
I was just wondering if this is a good method.
danielwritesback shows another method of lines per port.
If you know the lines to block the ports I have I'd be grateful as I am not yet familiar with the language.
It would be great if it could also log the action too.