iptables config question

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message

Joined: 16 Mar 2019
Posts: 65
Location: Szczecin, Poland EU

PostPosted: Sun Jul 21, 2019 16:02    Post subject: iptables config question Reply with quote
I have dd-wrt in the newest version on my Netgear WNR3500L v2. I see that event in my log:
Jul 21 13:58:46 Myrouter kern.info kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.

I think it's something problem with iptables configuration. I have this values in iptables own configuration:
iptables -A INPUT -s -j REJECT
iptables -A OUTPUT -s -j REJECT
iptables -A INPUT --proto icmp -j DROP
iptables -A OUTPUT --proto icmp -j DROP
iptables -t mangle -I POSTROUTING -o `get_wanface` -j TTL --ttl-set 129
iptables -A INPUT --proto igmp -j DROP
iptables -A OUTPUT --proto igmp -j DROP

Probably somewhere here is any mismatch. Could you hint me how Can I build optimal firewall rules for this behaviour. I need block icmp and igmp protocol, and this IP that sent me UDP packets.

Joined: 18 Mar 2014
Posts: 4854
Location: Netherlands

PostPosted: Sun Jul 21, 2019 17:04    Post subject: Reply with quote
It is only a warning you can disregard it

To block ping, head over to the Security tab in the GUI and block anonymous WAN reguest (ping) actually I think it should be on by default.

You can check with iptables -vnL

Use Steve Gibson's GRC to test

Your firewall rules are, to put it politely, a bit unusual Smile

Furthermore these questions are better answered in the Advanced Networking forum (very smart people over there Wink )

Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135

Joined: 08 May 2018
Posts: 3586
Location: Texas, USA

PostPosted: Sun Jul 21, 2019 17:32    Post subject: Reply with quote
Enabling blocking anon WAN requests (ping) disables ping across the board, which is a broken feature IMHO. I have that disabled at the moment on 40352 public build, but it's not difficult to apply the proper rule(s) to block ping of death.
Per Yngve Berg

Joined: 13 Aug 2013
Posts: 5365
Location: Akershus, Norway

PostPosted: Sun Jul 21, 2019 18:52    Post subject: Reply with quote
iptables -A OUTPUT -s -j REJECT

You probably want a destination here (-d), not source.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT


Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum