Anyone an expert in iptables?

[Master Razor]

I'm trying to set up iptables to open FTP access but for some reason it doesn't work.
I cannot connect to my computer's FTP behind my router from an external location. Port testing always shows it is closed.

I'm using OpenWRT 12.09-beta r33312 if it matters.

Full output of /etc/firewall.user

Code:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

iptables -N ACCEPT_TCP_UDP
  iptables -A ACCEPT_TCP_UDP -p tcp -j ACCEPT
    iptables -A ACCEPT_TCP_UDP -p udp -j ACCEPT

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP




# Allow anything on local loopback link
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow anything on local loopback link
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow TCP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT

# Allow FTP
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

Also looking for any tips for securing my router if you can give any, via iptables of course.

Thank you!

[anon]

Firstly, /etc/firewall.user is for special needs that can't be covered by /etc/config/firewall, you shouldn't use it as a general-purpose rule list.

Secondly, I flashed the exact same build you're using in a spare TL-MR3020 router, and all I needed to do to get FTP working was adding these two rules (10.0.0.2 is the LAN address of the computer running the server):

Code:

iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20 -j ACCEPT

The /etc/network/firewall equivalent of that would be as follows, and if you have LuCI installed, you can add them via Network -> Firewall -> Port Forwards.

Code:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '21'
        option dest_ip '10.0.0.2'
        option dest_port '21'
        option name 'FTP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '20'
        option dest_ip '10.0.0.2'
        option dest_port '20'
        option name 'FTP data'

If it still doesn't work, make sure you've got the FTP module for netfilter (which does layer 7 NAT and dynamically forwards ports for passive mode) up and running:

Code:

root@OpenWrt:/# lsmod | grep ftp
nf_nat_ftp               976  0
nf_conntrack_ftp        4416  1 nf_nat_ftp
nf_nat                 10256  4 nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,iptable_nat
nf_conntrack           38208 12 nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,xt_conntrack,xt_CT,xt_NOTRACK,xt_state,nf_conntrack_ipv4

With regards to security, the old advice "only open the ports you really need" is good, and port knocking is an interesting idea to add an extra layer of protection.

[Instab]

Code:

iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20 -j ACCEPT

this has no effect unless you have another rule down below that actually handles the "zone_wan_forward" entries. it also requires that all outgoing traffic is allowed.
further you can combine this to a single rule:

Code:

iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20:21 -j ACCEPT

and as a last one i changed the topic name because this is general linux stuff i.e. not related to OpenWRT in particular.

[anon]

this has no effect unless you have another rule down below that actually handles the "zone_wan_forward" entries. it also requires that all outgoing traffic is allowed.

OpenWrt takes care of both by default.

further you can combine this to a single rule:

Good point, thanks.

[Master Razor]

It works! Thank you so much!

I've always thought iptables were in the form of

Code:

iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20:21 -j ACCEPT

What is this kind of config called? Is it only used by openWRT? I've never seen it anywhere else.

Code:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '21'
        option dest_ip '10.0.0.2'
        option dest_port '21'
        option name 'FTP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '20'
        option dest_ip '10.0.0.2'
        option dest_port '20'
        option name 'FTP data'

Also, regarding the /etc/firewall.user file, should be empty? I don't remember what entries were default and what were added by me.

[Master Razor]

I'd like to ask, if I open a port in a firewall but no application is listening on that port, is it still considered open? From what I know a port is open when is opened in the firewall and an application listens on the port.

[anon]

What is this kind of config called? Is it only used by openWRT? I've never seen it anywhere else.

It's a UCI configuration file.

https://wiki.openwrt.org/doc/uci

When combined with LuCI, it makes it much friendlier to set up the firewall. Knowing iptables' syntax has its benefits, of course, if you need to script rules (e.g. for port knocking) or create temporary ones.

Also, regarding the /etc/firewall.user file, should be empty? I don't remember what entries were default and what were added by me.

It's empty by default (besides the comments at the top).

I'd like to ask, if I open a port in a firewall but no application is listening on that port, is it still considered open? From what I know a port is open when is opened in the firewall and an application listens on the port.

Seen from the outside, your ports can have three possible states:

• open: connection attempts are successful.
• closed: connection attempts fail, and an ICMP message saying the port is closed is received.
• unknown: connection attempts fail, and no reply whatsoever is received. Indistinguishable from connecting to a non-forwarded port or an offline host.

With the port forwarding in place, if your FTP server is running, the ports will be seen as open. If it's not, they'll be seen as unknown. Making them explicitly show up as closed requires some iptables rule that does -j DROP, but for an Internet-facing server, unknown is always the best choice. The less information you give potential attackers, the better.

Two more security tips:

• in OpenWrt, uhttpd and dropbear bind to all interfaces by default, which makes them reachable from the outside(!). Make sure to make them bind to the LAN interface only if you haven't done so already.
• set up a firewall rule to discard ICMP echo requests (ping) received in the WAN interface.

[Master Razor]

New issue... Is there any way to disable a rule/redirect in /etc/config/firewall ?
I tried for redirects:

option config forward '0'
This does not output any error but leaves port open

option enabled '0'
This outpouts the error "Error: redirect : target must be either DNAT or SNAT, skipping" but seems like it is closing the port "

Any ideas?

[anon]

'enabled' '0' is the right way as per https://wiki.openwrt.org/doc/uci/firewall

Ignore the error message, that's normal.

[Master Razor]

Something interesting is happening.

My computer which hosts uTorrent WebUI has a dynamic dns of examplepc.example.com .
If I use the option enabled '0' the ports appear to be closed but when I try to access http://examplepc.example.com:32345/gui/ on my pc that hosts it works.

When I did not have the redirect rule in the firewall, trying http://examplepc.example.com:32345/gui/ resulted in cannot be found.

Why is that? Assuming enabled '0' actually disabled the redirect.

[anon]

My computer which hosts uTorrent WebUI has a dynamic dns of examplepc.example.com .
If I use the option enabled '0' the ports appear to be closed but when I try to access http://examplepc.example.com:32345/gui/ on my pc that hosts it works.

When I did not have the redirect rule in the firewall, trying http://examplepc.example.com:32345/gui/ resulted in cannot be found.

Your dynamic DNS resolves to your external IP. When accessing it from that computer, the router "catches" the request and immediately forwards it to yourself. But that's what happens when the redirect is active. 'enabled' '0' is equivalent to not having the rule at all, so I can't explain this behavior. Just to be sure, did you run /etc/init.d/firewall restart after editing the configuration?

[Master Razor]

That's the weird part. I tested the ports with Open Port Check Tool - Test Port Forwarding on Your Router and they are all closed, even though all services are working (webui, ftp, etc.)
Ports are closed but this still works http://examplepc.example.com:32345/gui/

Just to be sure, did you run /etc/init.d/firewall restart after editing the configuration?

Of course. And also restarted the router.

[Master Razor]

I want to turn off all wan activity and leave only lan connectivity. Would you say this is correct?

Code:

#!/bin/bash
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -j DROP
iptables- A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -j DROP

And am I correct in assuming that to allow it again all I have to do is to change from DROP to ALLOW?

[Instab]

I want to turn off all wan activity and leave only lan connectivity. Would you say this is correct?

Code:

#!/bin/bash
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -j DROP
iptables- A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -j DROP

And am I correct in assuming that to allow it again all I have to do is to change from DROP to ALLOW?

the rules look fine. by convention tho rules are not applied via shell script but iptables-restore unless you want them appended to already running rules.
if you want to allow more traffic again you could just delete the drop rules or activate a new ruleset via iptables-restore.

[anon]

the rules look fine.

Except the third one which has a misplaced space

If you don't need WAN connectivity at all (not even on the router itself) you can just put the WAN interface down, but I guess it's not the case.