AR15.Com Archives
 DD-WRT firewall rules are killing me
LDL7071  [Team Member]
2/23/2012 2:00:55 AM
So, I don't really understand all of my DD-WRT firewall rules. All the more so since I first set it up two or three years ago, and haven't really thought about it since.

Back then, I set up my router to have a virtual interface, so I have two SSIDs. The firewall commands for that are:
else
wanif="`nvram get wan_ifname`"
fi

# Make sure br1 has access to the internet:
iptables -I INPUT -i br1 -m state ––state NEW -j logaccept
iptables -I FORWARD -i br1 -o $wanif -m state ––state NEW -j ACCEPT
# Keep the two wireless networks from talking to each other:
iptables -I FORWARD -i br0 -o br1 -j logdrop
iptables -I FORWARD -i br1 -o br0 -j logdrop


Now, I'd like to set up OpenVPN. I'm having a little trouble with the firewall commands for it. The tutorials I've been using recommend the following firewall commands:

iptables -I INPUT 1 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT


When I put these in, though, it kills the internet access to both of my SSIDs.

What is the conflict? How do I fix it? If someone can break this down for me purple dinosaur style, I'd appreciate it.
libertyguns9  [Team Member]
2/23/2012 9:48:52 AM
I'm so rusty on iptables rule writing that I normally just google everything. Is there no GUI rule base? This is another reason I like m0n0wall.
GTwannabe  [Team Member]
2/23/2012 12:51:56 PM
Tomato is easier.
packingXDs  [Team Member]
2/23/2012 1:00:21 PM
Going to need to see the full list, including default policies before being able to tell you why the rules break. A description of your LAN (gateway, subnetting, etc) would also be useful.


ETA:

Lets see the output to the following:

iptables -L -n
route -a -n
ip a
LDL7071  [Team Member]
2/25/2012 2:10:44 AM
iptables -L -n 
Chain INPUT (policy ACCEPT)

target     prot opt source               destination

logaccept  0    ––  0.0.0.0/0            0.0.0.0/0           state NEW

ACCEPT     0    ––  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTAB                                                                              LISHED

ACCEPT     tcp  ––  0.0.0.0/0            0.0.0.0/0           tcp dpt:1723

ACCEPT     47   ––  0.0.0.0/0            0.0.0.0/0

DROP       udp  ––  0.0.0.0/0            0.0.0.0/0           udp dpt:520

DROP       udp  ––  0.0.0.0/0            0.0.0.0/0           udp dpt:520

ACCEPT     udp  ––  0.0.0.0/0            0.0.0.0/0           udp dpt:520

logaccept  tcp  ––  0.0.0.0/0            192.168.1.1         tcp dpt:443

logaccept  tcp  ––  0.0.0.0/0            192.168.1.1         tcp dpt:443

logaccept  tcp  ––  0.0.0.0/0            192.168.1.1         tcp dpt:23

DROP       icmp ––  0.0.0.0/0            0.0.0.0/0

DROP       2    ––  0.0.0.0/0            0.0.0.0/0

ACCEPT     0    ––  0.0.0.0/0            0.0.0.0/0           state NEW

logaccept  0    ––  0.0.0.0/0            0.0.0.0/0           state NEW

DROP       0    ––  0.0.0.0/0            0.0.0.0/0



Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

logdrop    0    ––  0.0.0.0/0            0.0.0.0/0

logdrop    0    ––  0.0.0.0/0            0.0.0.0/0

ACCEPT     0    ––  0.0.0.0/0            0.0.0.0/0           state NEW

ACCEPT     47   ––  192.168.1.0/24       0.0.0.0/0

ACCEPT     tcp  ––  192.168.1.0/24       0.0.0.0/0           tcp dpt:1723

ACCEPT     0    ––  0.0.0.0/0            0.0.0.0/0

TCPMSS     tcp  ––  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02                                                                               TCPMSS clamp to PMTU

lan2wan    0    ––  0.0.0.0/0            0.0.0.0/0

ACCEPT     0    ––  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTAB                                                                              LISHED

ACCEPT     tcp  ––  0.0.0.0/0            192.168.1.1         tcp dpt:1723

ACCEPT     udp  ––  0.0.0.0/0            192.168.1.1         udp dpt:1723

ACCEPT     tcp  ––  0.0.0.0/0            192.168.1.1         tcp dpt:1722

ACCEPT     udp  ––  0.0.0.0/0            192.168.1.1         udp dpt:1722

TRIGGER    0    ––  0.0.0.0/0            0.0.0.0/0           TRIGGER type:in mat                                                                              ch:0 relate:0

trigger_out  0    ––  0.0.0.0/0            0.0.0.0/0

ACCEPT     0    ––  0.0.0.0/0            0.0.0.0/0           state NEW

DROP       0    ––  0.0.0.0/0            0.0.0.0/0



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination



Chain advgrp_1 (0 references)

target     prot opt source               destination



Chain advgrp_10 (0 references)

target     prot opt source               destination



Chain advgrp_2 (0 references)

target     prot opt source               destination



Chain advgrp_3 (0 references)

target     prot opt source               destination



Chain advgrp_4 (0 references)

target     prot opt source               destination



Chain advgrp_5 (0 references)

target     prot opt source               destination



Chain advgrp_6 (0 references)

target     prot opt source               destination



Chain advgrp_7 (0 references)

target     prot opt source               destination



Chain advgrp_8 (0 references)

target     prot opt source               destination



Chain advgrp_9 (0 references)

target     prot opt source               destination



Chain grp_1 (0 references)

target     prot opt source               destination



Chain grp_10 (0 references)

target     prot opt source               destination



Chain grp_2 (0 references)

target     prot opt source               destination



Chain grp_3 (0 references)

target     prot opt source               destination



Chain grp_4 (0 references)

target     prot opt source               destination



Chain grp_5 (0 references)

target     prot opt source               destination



Chain grp_6 (0 references)

target     prot opt source               destination



Chain grp_7 (0 references)

target     prot opt source               destination



Chain grp_8 (0 references)

target     prot opt source               destination



Chain grp_9 (0 references)

target     prot opt source               destination



Chain lan2wan (1 references)

target     prot opt source               destination



Chain logaccept (5 references)

target     prot opt source               destination

ACCEPT     0    ––  0.0.0.0/0            0.0.0.0/0



Chain logdrop (2 references)

target     prot opt source               destination

DROP       0    ––  0.0.0.0/0            0.0.0.0/0



Chain logreject (0 references)

target     prot opt source               destination

REJECT     tcp  ––  0.0.0.0/0            0.0.0.0/0           tcp reject-with tcp                                                                              -reset



Chain trigger_out (1 references)

target     prot opt source               destination
LDL7071  [Team Member]
2/25/2012 2:14:43 AM
route -a -n isn't working.

ip a: 

1: lo: <LOOPBACK,MULTICAST,UP> mtu 16436 qdisc noqueue

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

2: teql0: <NOARP> mtu 1500 qdisc noop

    link/void

3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast

    link/ether 00:14:bf:21:36:8e brd ff:ff:ff:ff:ff:ff

4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast

    link/ether 00:14:bf:21:36:90 brd ff:ff:ff:ff:ff:ff

5: vlan0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue

    link/ether 00:14:bf:21:36:8e brd ff:ff:ff:ff:ff:ff

6: vlan1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue

    link/ether 00:14:bf:21:36:8f brd ff:ff:ff:ff:ff:ff

    inet 98.222.63.63/20 brd 98.255.255.255 scope global vlan1

7: wl0.1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast

    link/ether 02:14:bf:21:36:91 brd ff:ff:ff:ff:ff:ff

8: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue

    link/ether 00:14:bf:21:36:8e brd ff:ff:ff:ff:ff:ff

    inet 192.168.1.1/24 brd 192.168.1.255 scope global br0

    inet 169.254.255.1/16 brd 169.254.255.255 scope global br0:0

9: br1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue

    link/ether 02:14:bf:21:36:91 brd ff:ff:ff:ff:ff:ff

    inet 192.168.2.1/24 brd 192.168.2.255 scope global br1

10: etherip0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop

    link/ether 0e:79:d2:bc:a4:c3 brd ff:ff:ff:ff:ff:ff
packingXDs  [Team Member]
2/25/2012 2:40:14 AM
What happens if you add the four rules for your br0/tun0 interfaces, but don't use the two logdrops to keep the networks from talking. The rules you have are pretty flexible and I don't really see anything at first glance that would kill both interfaces other than your explicit rules for traffic passing between br0 and br1.
LDL7071  [Team Member]
2/25/2012 2:54:50 AM
One other thing, which I haven't quite been able to figure out yet. Bizarrely, turning on the OpenVPN service seems to shut down internet access for the virtual interface. The network works––I can access the router from the virtual interface, but I can't get out to the internet.
LDL7071  [Team Member]
2/25/2012 2:58:11 AM
Originally Posted By packingXDs:
What happens if you add the four rules for your br0/tun0 interfaces, but don't use the two logdrops to keep the networks from talking. The rules you have are pretty flexible and I don't really see anything at first glance that would kill both interfaces other than your explicit rules for traffic passing between br0 and br1.


I'm not sure. I haven't tried it yet. Would there be any way to isolate the two interfaces? The main reason that I have them is that my roommates can't figure out how to use decent wireless security, so I set it up so they can have an insecure network, and I can have some relative security. But if they two interfaces can talk to each other, it defeats the purpose.
packingXDs  [Team Member]
2/25/2012 3:14:06 AM

Originally Posted By LDL7071:
Originally Posted By packingXDs:
What happens if you add the four rules for your br0/tun0 interfaces, but don't use the two logdrops to keep the networks from talking. The rules you have are pretty flexible and I don't really see anything at first glance that would kill both interfaces other than your explicit rules for traffic passing between br0 and br1.


I'm not sure. I haven't tried it yet. Would there be any way to isolate the two interfaces? The main reason that I have them is that my roommates can't figure out how to use decent wireless security, so I set it up so they can have an insecure network, and I can have some relative security. But if they two interfaces can talk to each other, it defeats the purpose.

I was just thinking from a testing perspective. If you don't use the only two drop rules and your network still goes down, then its something else. If it works, then the drop rules just need to be revised accordingly.

ETA:

Like using the subnet instead of the interface. Just keep 192.168.1.0/24 from talking to 192.168.2.0/24. Blocking the whole interface is overkill unless you know that is exactly what you need/want.