Community here is awesome!
I have an ASUS 3100 wireless router and about 4 IP Cameras. On my old router it was easy to block outgoing traffic so that I can make sure the cameras weren't "calling home". I want to do the same thing with this router so I decided first I use the port forwarding tool and then I started looking up IPTABLES. I don't know if this is an issue either for asuswrt-merlin to use the port forwarding on the routers admin tool & the iptables. I would suspect not...right?
My goal:
- By default block outgoing and incoming traffic for 192.168.1.0/29
- Exception: I want to open 120:130 BUT for only a handful of trusted IPs (work or a friends house). Lets say those IPs are 150.150.150.150 and 250.250.250.0/24 (I use a browser to access these ports, not that probably matters anyways) so if I wanted to access CAMERA #2 it would be DDNS.dns.com:121
- Exception: The cameras send out emails via SMTPS (port 465) so I want to open that up so that it can send out the emails.
Don't want to block INPUTS/OUTPUTS since I have some IoT stuff that communicate somewhere else , so I don't want to change default policy to block that. Unless I am misunderstanding how that works.
I flashed the router with the latest Asuswrt-Merlin and turned on JFFS custom scripts. I created a file under /jffs/scripts/ called firewall-start. I edited the file starting with shebang and added some rules (will get back to this later). I used service restart_firewall. The problem I am getting into is that I am not getting the appropriate results and it is very possible that I am writing the rules wrong and/or maybe the order.
I tried iptables forward, I tried iptables INPUT & OUTPUT, and I tried a combination of "INSERT" / "APPEND" and for some odd reason it will either BLOCK everything or leave it OPEN completely. It never follows my ultimate goal. I am sure it has to do with some order or default rules for FORWARD or INPUT or OUTPUT but I just cant figure it out.
I inserted the rules one at a time too. Something simple to start.
iptables -I FORWARD -d 192.168.1.0/29 -p tcp --dport 17111 -j DROP
This drops it. Sometimes it's finicky because if I try canyouseeme.org and it says successful put in the code it still says successful. Sometimes it says it failed (meaning it dropped) so sometimes that is what I encounter but sounds like maybe it's a unrelated issue. Then i say to myself ok that works. now lets add a INSERT rule AFTER this because obviously INSERT goes to the top so I added after the code above with this:
iptables -I FORWARD -s myworkip -d 192.168.1.0/29 -p tcp --dport 121 -j ACCEPT
So with those two in the file. I flush the iptables and then restart the firewall-start service to make it acquire the new rules. I use iptables -L I see it's in the right order. Test it out by reloading the webpage ddns.dns.com:121 and nada. It won't load. Is it some caching? does it need time? Sometimes I wait for 5 minutes and still nothing. I use canyouseeme.org again and it still says failed from the last DROP code.
I need some experts to help me out. Here is my existing iptable as of right now:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere state INVALID
PTCSRVWAN all -- anywhere anywhere
PTCSRVLAN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
OVPN all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
INPUT_ICMP icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
other2wan all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
NSFW all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT
OVPN all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ACCESS_RESTRICTION (0 references)
target prot opt source destination
Chain FUPNP (0 references)
target prot opt source destination
Chain INPUT_ICMP (1 references)
target prot opt source destination
RETURN icmp -- anywhere anywhere icmp echo-request
RETURN icmp -- anywhere anywhere icmp timestamp-request
ACCEPT icmp -- anywhere anywhere
Chain NSFW (1 references)
target prot opt source destination
Chain OVPN (2 references)
target prot opt source destination
Chain PControls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain PTCSRVLAN (1 references)
target prot opt source destination
Chain PTCSRVWAN (1 references)
target prot opt source destination
Chain SECURITY (0 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
DROP icmp -- anywhere anywhere icmp echo-request
RETURN all -- anywhere anywhere
Chain default_block (0 references)
target prot opt source destination
Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP all -- anywhere anywhere
Chain other2wan (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DROP all -- anywhere anywhere
Thanks in advance!
