+ Reply to Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: Anyone an expert in iptables?

  1. #1

    Anyone an expert in iptables?

    I'm trying to set up iptables to open FTP access but for some reason it doesn't work.
    I cannot connect to my computer's FTP behind my router from an external location. Port testing always shows it is closed.

    I'm using OpenWRT 12.09-beta r33312 if it matters.

    Full output of /etc/firewall.user
    Code:
    # This file is interpreted as shell script.
    # Put your custom iptables rules here, they will
    # be executed with each firewall (re-)start.
    
    iptables -N ACCEPT_TCP_UDP
      iptables -A ACCEPT_TCP_UDP -p tcp -j ACCEPT
        iptables -A ACCEPT_TCP_UDP -p udp -j ACCEPT
    
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    
    
    
    
    # Allow anything on local loopback link
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # Allow anything on local loopback link
    ip6tables -A INPUT -i lo -j ACCEPT
    ip6tables -A OUTPUT -o lo -j ACCEPT
    
    # Allow TCP
    iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
    
    # Allow SSH
    iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
    
    # Allow FTP
    iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

    Also looking for any tips for securing my router if you can give any, via iptables of course.

    Thank you!
    Last edited by Instab; 22.04.17 at 17:07. Reason: title fix
    Reply With QuoteReply With Quote
    Thanks

  2. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,804
    Activity Longevity
    11/20 19/20
    Today Posts
    1/5 ssss39804
    Firstly, /etc/firewall.user is for special needs that can't be covered by /etc/config/firewall, you shouldn't use it as a general-purpose rule list.

    Secondly, I flashed the exact same build you're using in a spare TL-MR3020 router, and all I needed to do to get FTP working was adding these two rules (10.0.0.2 is the LAN address of the computer running the server):

    Code:
    iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 21 -j ACCEPT
    iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20 -j ACCEPT
    The /etc/network/firewall equivalent of that would be as follows, and if you have LuCI installed, you can add them via Network -> Firewall -> Port Forwards.

    Code:
    config redirect
            option target 'DNAT'
            option src 'wan'
            option dest 'lan'
            option proto 'tcp'
            option src_dport '21'
            option dest_ip '10.0.0.2'
            option dest_port '21'
            option name 'FTP'
    
    config redirect
            option target 'DNAT'
            option src 'wan'
            option dest 'lan'
            option proto 'tcp'
            option src_dport '20'
            option dest_ip '10.0.0.2'
            option dest_port '20'
            option name 'FTP data'
    If it still doesn't work, make sure you've got the FTP module for netfilter (which does layer 7 NAT and dynamically forwards ports for passive mode) up and running:

    Code:
    root@OpenWrt:/# lsmod | grep ftp
    nf_nat_ftp               976  0
    nf_conntrack_ftp        4416  1 nf_nat_ftp
    nf_nat                 10256  4 nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,iptable_nat
    nf_conntrack           38208 12 nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,xt_conntrack,xt_CT,xt_NOTRACK,xt_state,nf_conntrack_ipv4
    With regards to security, the old advice "only open the ports you really need" is good, and port knocking is an interesting idea to add an extra layer of protection.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  3. Who Said Thanks:

    Master Razor (24.04.17)

  4. #3
    Moderator
    Instab's Avatar
    Join Date
    18.09.09
    Posts
    6,661
    Activity Longevity
    4/20 18/20
    Today Posts
    0/5 sssss6661
    Quote Originally Posted by anon View Post
    Code:
    iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 21 -j ACCEPT
    iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20 -j ACCEPT
    this has no effect unless you have another rule down below that actually handles the "zone_wan_forward" entries. it also requires that all outgoing traffic is allowed.
    further you can combine this to a single rule:
    Code:
    iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20:21 -j ACCEPT

    and as a last one i changed the topic name because this is general linux stuff i.e. not related to OpenWRT in particular.
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  5. Who Said Thanks:

    Master Razor (24.04.17) , anon (22.04.17)

  6. #4
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,804
    Activity Longevity
    11/20 19/20
    Today Posts
    1/5 ssss39804
    Quote Originally Posted by Instab View Post
    this has no effect unless you have another rule down below that actually handles the "zone_wan_forward" entries. it also requires that all outgoing traffic is allowed.
    OpenWrt takes care of both by default.

    further you can combine this to a single rule:
    Good point, thanks.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  7. Who Said Thanks:

    Master Razor (24.04.17)

  8. #5
    It works! Thank you so much!

    I've always thought iptables were in the form of
    Code:
    iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20:21 -j ACCEPT
    What is this kind of config called? Is it only used by openWRT? I've never seen it anywhere else.
    Code:
    config redirect
            option target 'DNAT'
            option src 'wan'
            option dest 'lan'
            option proto 'tcp'
            option src_dport '21'
            option dest_ip '10.0.0.2'
            option dest_port '21'
            option name 'FTP'
    
    config redirect
            option target 'DNAT'
            option src 'wan'
            option dest 'lan'
            option proto 'tcp'
            option src_dport '20'
            option dest_ip '10.0.0.2'
            option dest_port '20'
            option name 'FTP data'
    Also, regarding the /etc/firewall.user file, should be empty? I don't remember what entries were default and what were added by me.
    Reply With QuoteReply With Quote
    Thanks

  9. #6
    I'd like to ask, if I open a port in a firewall but no application is listening on that port, is it still considered open? From what I know a port is open when is opened in the firewall and an application listens on the port.
    Reply With QuoteReply With Quote
    Thanks

  10. #7
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,804
    Activity Longevity
    11/20 19/20
    Today Posts
    1/5 ssss39804
    Quote Originally Posted by Master Razor View Post
    What is this kind of config called? Is it only used by openWRT? I've never seen it anywhere else.
    It's a UCI configuration file.

    https://wiki.openwrt.org/doc/uci

    When combined with LuCI, it makes it much friendlier to set up the firewall. Knowing iptables' syntax has its benefits, of course, if you need to script rules (e.g. for port knocking) or create temporary ones.

    Also, regarding the /etc/firewall.user file, should be empty? I don't remember what entries were default and what were added by me.
    It's empty by default (besides the comments at the top).

    Quote Originally Posted by Master Razor View Post
    I'd like to ask, if I open a port in a firewall but no application is listening on that port, is it still considered open? From what I know a port is open when is opened in the firewall and an application listens on the port.
    Seen from the outside, your ports can have three possible states:
    • open: connection attempts are successful.
    • closed: connection attempts fail, and an ICMP message saying the port is closed is received.
    • unknown: connection attempts fail, and no reply whatsoever is received. Indistinguishable from connecting to a non-forwarded port or an offline host.

    With the port forwarding in place, if your FTP server is running, the ports will be seen as open. If it's not, they'll be seen as unknown. Making them explicitly show up as closed requires some iptables rule that does -j DROP, but for an Internet-facing server, unknown is always the best choice. The less information you give potential attackers, the better.

    Two more security tips:
    • in OpenWrt, uhttpd and dropbear bind to all interfaces by default, which makes them reachable from the outside(!). Make sure to make them bind to the LAN interface only if you haven't done so already.
    • set up a firewall rule to discard ICMP echo requests (ping) received in the WAN interface.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  11. Who Said Thanks:

    Master Razor (26.04.17)

  12. #8
    New issue... Is there any way to disable a rule/redirect in /etc/config/firewall ?
    I tried for redirects:

    option config forward '0'
    This does not output any error but leaves port open

    option enabled '0'
    This outpouts the error "Error: redirect : target must be either DNAT or SNAT, skipping" but seems like it is closing the port "

    Any ideas?
    Reply With QuoteReply With Quote
    Thanks

  13. #9
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,804
    Activity Longevity
    11/20 19/20
    Today Posts
    1/5 ssss39804
    'enabled' '0' is the right way as per https://wiki.openwrt.org/doc/uci/firewall

    Ignore the error message, that's normal.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  14. Who Said Thanks:

    Master Razor (27.04.17)

  15. #10
    Something interesting is happening.

    My computer which hosts uTorrent WebUI has a dynamic dns of examplepc.example.com .
    If I use the option enabled '0' the ports appear to be closed but when I try to access http://examplepc.example.com:32345/gui/ on my pc that hosts it works.

    When I did not have the redirect rule in the firewall, trying http://examplepc.example.com:32345/gui/ resulted in cannot be found.

    Why is that? Assuming enabled '0' actually disabled the redirect.
    Last edited by Master Razor; 27.04.17 at 18:37.
    Reply With QuoteReply With Quote
    Thanks

  16. #11
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,804
    Activity Longevity
    11/20 19/20
    Today Posts
    1/5 ssss39804
    Quote Originally Posted by Master Razor View Post
    My computer which hosts uTorrent WebUI has a dynamic dns of examplepc.example.com .
    If I use the option enabled '0' the ports appear to be closed but when I try to access http://examplepc.example.com:32345/gui/ on my pc that hosts it works.

    When I did not have the redirect rule in the firewall, trying http://examplepc.example.com:32345/gui/ resulted in cannot be found.
    Your dynamic DNS resolves to your external IP. When accessing it from that computer, the router "catches" the request and immediately forwards it to yourself. But that's what happens when the redirect is active. 'enabled' '0' is equivalent to not having the rule at all, so I can't explain this behavior. Just to be sure, did you run /etc/init.d/firewall restart after editing the configuration?
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  17. #12
    That's the weird part. I tested the ports with Open Port Check Tool - Test Port Forwarding on Your Router and they are all closed, even though all services are working (webui, ftp, etc.)
    Ports are closed but this still works http://examplepc.example.com:32345/gui/

    Just to be sure, did you run /etc/init.d/firewall restart after editing the configuration?
    Of course. And also restarted the router.
    Last edited by Master Razor; 29.04.17 at 23:38.
    Reply With QuoteReply With Quote
    Thanks

  18. Who Said Thanks:

    (18.01.22)

  19. #13
    I want to turn off all wan activity and leave only lan connectivity. Would you say this is correct?
    Code:
    #!/bin/bash
    iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
    iptables -A INPUT -j DROP
    iptables- A OUTPUT -d 192.168.1.0/24 -j ACCEPT
    iptables -A OUTPUT -j DROP
    And am I correct in assuming that to allow it again all I have to do is to change from DROP to ALLOW?
    Reply With QuoteReply With Quote
    Thanks

  20. #14
    Moderator
    Instab's Avatar
    Join Date
    18.09.09
    Posts
    6,661
    Activity Longevity
    4/20 18/20
    Today Posts
    0/5 sssss6661
    Quote Originally Posted by Master Razor View Post
    I want to turn off all wan activity and leave only lan connectivity. Would you say this is correct?
    Code:
    #!/bin/bash
    iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
    iptables -A INPUT -j DROP
    iptables- A OUTPUT -d 192.168.1.0/24 -j ACCEPT
    iptables -A OUTPUT -j DROP
    And am I correct in assuming that to allow it again all I have to do is to change from DROP to ALLOW?
    the rules look fine. by convention tho rules are not applied via shell script but iptables-restore unless you want them appended to already running rules.
    if you want to allow more traffic again you could just delete the drop rules or activate a new ruleset via iptables-restore.
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  21. Who Said Thanks:

    Master Razor (10.09.17)

  22. #15
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,804
    Activity Longevity
    11/20 19/20
    Today Posts
    1/5 ssss39804
    Quote Originally Posted by Instab View Post
    the rules look fine.
    Except the third one which has a misplaced space

    If you don't need WAN connectivity at all (not even on the router itself) you can just put the WAN interface down, but I guess it's not the case.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  23. Who Said Thanks:

    Master Razor (10.09.17)

+ Reply to Thread
Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •