azcrumpty's Site
  • Home
  • Journal
  • Search

DD-WRT iptables Rules for Linksys e3000

10/15/2011

 
Picture
NAT Rules
I mentioned on my blog that I have switched to DD-WRT on my Linksys e3000 router mainly because I was frustrated with Cisco's software requiring a Mac or PC in order to make some feature changes.  I got locked out of the desktop software once I setup security to my preferences.  

So here are my firewall rules built with the help of Firewall Builder.  We'll start by looking at the NAT rules.  Rule 0 allows all networks to NAT out to the Internet.  Rule 1 is disabled but allows access to the DMZ.  The DMZ is off during the summer to keep the DMZ server from running up the electric bill.  Rule 2 is a lazy rule that enables me to print to my networked laser printer while I work from home logged into the work VPN.  I say this is lazy due to having used a much better design in the past.  In the past, I had Apache with SSL reverse proxying to CUPS.  I used an HTTPS URL with Windows XP to print remotely.  This protected data in transit across the internet.  The current setup will be disabled anyway for printing seems to have been killed off by the dual monitor setup.  The printing rule is restricted to the VPN Internet exit IP address.

We'll now look at the firewall rules.  Rule 0 adds all internal networks to the Anti-Spoofing Rule.

Rule 1 enables loopback network communication on the router.

Rule 2 is sloppy but lets DHCP work on the internal network.  You can see this done better in Firewall Builder's templates.

Rule 3 gives the guest network access to essential services on the gateway.  FTP is provided so guests can take advantage of the USB Drive attached to the Linksys e3000.

Rule 4 ensure all trusted networks can access everything needed on the home gateway.

Rule 5 lets ping and traceroute work.

Rule 6 lets the router communicate to everything on the network.

Rules 8 through 10 enable the VPN to be accessed from the outside and HTTP for rule 9 which is disabled at this time.

Rule 11 allows printing while on a work VPN.  The work VPN disables all local access when the VPN is activated leaves me unable to reach my network printers. 

Rule 12 stops all traffic not otherwise allowed to the firewall box.

Rule 13 enables the guest network access to the outside world only.  Note the guest network can not access the other networks.

Rules 14,15, and 16 allow the trusted networks to communicate everywhere.

Rule 17 will drop everything else not previously allowed in my home firewall.

Here are the raw iptables rules script as created by Firewall Builder for DD-WRT.

Picture
Firewall Rules
Picture
Firewall Rules
Picture
Firewall Rules
Picture
Firewall Builder Panel of Objects
Don
2/2/2012 05:21:09 am

Can you recommend a course of study to understand this firewall builder? I have been trying to get OpenVPN working on a couple of dd-wrt enabled routers for about 6 years now (slow learner). I finally read the guide at http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B and at http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/. This gave me the ability (through time) learning the basics and doing enought cut and paste to be able to try various iterations of the setup, customizing to my system and at last I finally was successful using 2 "mega" versions of dd-wrt and heavy horsepower routers that supported dd-wrt to build a routed VPN between two family members. I did notice that I had to turn the feature SPI firewall off for some reason and I noticed in a Shields Up scan that for some reason port 53 was open on my incoming firewall and I assumed this might have something to do with OpenVPN on dd-wrt. Not sure of the repercussions of leaving 53 open or what it means but that got even worse when I installed Optware. So my question would be based on a comment I placed here on your blog over in the section regarding Optware, and that is, if I open my SPI firewall for OpenVPN, then after the install of Optware, not only is port 53 open but also 111, 139 and 445. Realize again that I have no idea about firewall rules or the chart you have kindly displayed here for building them and not sure what path to learn quickly. So what I am asking I suppose first, is there a shortcut where I can still use OpenVPN (I assume there is no recourse other than running with SPI firewall "off" to take advantage of OpenVPN) yet also feel comfortable when I open the SPI firewall in dd-wrt and see all the ports open, that I am not exposed to this situation? Thanks in advance. (Appreciate your level of knowledge and your willingness to publish here. Hope you have time to help.)

Don
2/2/2012 08:38:41 am

Referring to the 2 guides above, in order to get my OpenVPN working, I had to add the following the the dd-wrt OpenVPN server router of "Firewall rules" of the Administration panel:

iptables -I INPUT 1 -p udp -dport=1194 -j ACCEPT
iptables -I FORWARD 1 -source=192.168.158.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

The allows me from a dd-wrt client router configured for OpenVPN client to connect to the server.

This setup does not allow a PC or should I say, I cannot figure out how to get to a drive on the OpenVPN client subnet from the Open VPN server subnet but I AM ABLE to get from the client to the server subnet. I would like to know how to do that as well. Thanks again.

azcrumpty link
2/2/2012 10:40:35 am

The firewall builder guides are the best doc
http://www.fwbuilder.org/4.0/docs/users_guide5/

Also, the firewall builder scripts turn on logging, which is most useful for seeing what is being denied. You will want to have all reject actions log while you build your rules.

Corey Perkins link
6/25/2012 06:44:48 am

Great blog, I just created an account here too.


Comments are closed.

    Journal

    This is the place for notes and updates.

    azcrumptyon

    Archives

    March 2013
    December 2012
    October 2012
    September 2012
    August 2012
    July 2012
    April 2012
    March 2012
    November 2011
    October 2011
    July 2011
    June 2011
    May 2011
    April 2011

    Categories

    All
    6to4
    Academic Degree
    Anonymous
    Apache
    Apache Http Server
    Automobile
    Blue
    Bridge
    Car
    Cars
    Chrome
    Chrome Os
    Chromium
    Common Gateway Interface
    Compress
    Configure
    Copy
    Dd Wrt
    DD-WRT
    Diesel
    Diesel Engine
    Directories
    Disklabel
    Disk Management
    Disks
    Distance
    Distance Education
    Distance Learning
    Dmz
    Dns
    Driving
    Eco
    Education
    Efficiency
    E-learning
    File
    Filtering
    Firewall
    Freebsd
    Fuel
    Fuel Economy In Automobiles
    Fuel Efficiency
    Green
    Gzip
    Hardware
    Hardware Virtualization
    Hitwise
    Home
    Hosting
    Howto
    Hub
    Hurricane Electric
    Hypertext Transfer Protocol
    Ibm
    Ibm Websphere
    Iis
    Importer
    Internet Service Provider
    Ip
    Ipad
    Ip Address
    Ipv4
    Ipv6
    Lan
    Lastpass
    Learning
    Linux
    Local Area Network
    Master Of Business Administration
    Microsoft
    Microsoft Windows
    Movabletype
    Movable Type
    Multitier Architecture
    Mysql
    Nat
    Network
    Network Interface Controller
    Network Time Protocol
    New York
    New York Times
    Onion
    Online
    Openbsd
    Openvpn
    Operating Systems
    Opera Unite
    Partitions
    Passenger
    Password Management
    Passwordsafe
    Paywall
    Pfsense
    Protocols
    Proxy
    Proxying And Filtering
    Publishing
    Rdns
    Reading
    Red
    Remote
    Replicate
    Reverse
    Reverse Proxy
    Router
    Samba
    Secure Shell
    Security
    Server
    Server Message Block
    Ssh
    Storage
    Tdi
    The Onion Router
    Theory And Research
    Tor
    Torque
    Transfer
    Turbo
    Turbodiesel
    Twitter
    Ubuntu
    Uniform Resource Locator
    United States
    Universal Serial Bus
    Unix
    Usb Flash Drive
    User (computing)
    Virtualbox
    Virtual Hosting
    Virtualized Dmz
    Virtual Machine
    Virtual Private Network
    Vpn
    Wan
    Web
    Web Server
    Windows
    Windows Xp
    Wordpress
    Zone

    RSS Feed

Powered by Create your own unique website with customizable templates.