Jump to content

RHudack

Members
 View Profile  See their activity

  • Posts

    3

  • Joined

  • Last visited

 Content Type 

Posts posted by RHudack

    v4 Firmware iptables help

    in LAN Turtle

    Posted

    It appears it was all USER ERROR!  a capitol C in the word config inside the /etc/config/firewall file was the culprit.

    fw3 print showed the line with the error. Sorry for the post, likely can be deleted now.  

    v4 Firmware iptables help

    in LAN Turtle

    Posted

    So after a bit more review it seems I just have one turtle that has a blank iptables config

    iptables -S from 2 units running v4 code have different outputs. 

    Broken Turtle
    root@turtle:~# iptables -S
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT

    Working Turtles
    root@turtle:~# iptables -S
    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT DROP
    -N delegate_forward
    -N delegate_input
    -N delegate_output
    -N forwarding_3gwan_rule
    -N forwarding_lan_rule
    -N forwarding_rule
    -N forwarding_vpn_rule
    -N forwarding_wan_rule
    -N input_3gwan_rule
    -N input_lan_rule
    -N input_rule
    -N input_vpn_rule
    -N input_wan_rule
    -N output_3gwan_rule
    -N output_lan_rule
    -N output_rule
    -N output_vpn_rule
    -N output_wan_rule
    -N reject
    -N syn_flood
    -N zone_3gwan_dest_ACCEPT
    -N zone_3gwan_dest_REJECT
    -N zone_3gwan_forward
    -N zone_3gwan_input
    -N zone_3gwan_output
    -N zone_3gwan_src_REJECT
    -N zone_lan_dest_ACCEPT
    -N zone_lan_forward
    -N zone_lan_input
    -N zone_lan_output
    -N zone_lan_src_ACCEPT
    -N zone_vpn_dest_ACCEPT
    -N zone_vpn_forward
    -N zone_vpn_input
    -N zone_vpn_output
    -N zone_vpn_src_ACCEPT
    -N zone_wan_dest_ACCEPT
    -N zone_wan_forward
    -N zone_wan_input
    -N zone_wan_output
    -N zone_wan_src_REJECT
    -A INPUT -j delegate_input
    -A FORWARD -j delegate_forward
    -A OUTPUT -j delegate_output
    -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
    -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A delegate_forward -i eth0 -j zone_lan_forward
    -A delegate_forward -i eth1 -j zone_wan_forward
    -A delegate_forward -i tun0 -j zone_vpn_forward
    -A delegate_forward -j reject
    -A delegate_input -i lo -j ACCEPT
    -A delegate_input -m comment --comment "user chain for input" -j input_rule
    -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
    -A delegate_input -i eth0 -j zone_lan_input
    -A delegate_input -i eth1 -j zone_wan_input
    -A delegate_input -i tun0 -j zone_vpn_input
    -A delegate_input -j reject
    -A delegate_output -o lo -j ACCEPT
    -A delegate_output -m comment --comment "user chain for output" -j output_rule
    -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A delegate_output -o eth0 -j zone_lan_output
    -A delegate_output -o eth1 -j zone_wan_output
    -A delegate_output -o tun0 -j zone_vpn_output
    -A delegate_output -j reject
    -A reject -p tcp -j REJECT --reject-with tcp-reset
    -A reject -j REJECT --reject-with icmp-port-unreachable
    -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
    -A syn_flood -j DROP
    -A zone_3gwan_forward -m comment --comment "user chain for forwarding" -j forwarding_3gwan_rule
    -A zone_3gwan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
    -A zone_3gwan_forward -j zone_3gwan_dest_REJECT
    -A zone_3gwan_input -m comment --comment "user chain for input" -j input_3gwan_rule
    -A zone_3gwan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
    -A zone_3gwan_input -j zone_3gwan_src_REJECT
    -A zone_3gwan_output -m comment --comment "user chain for output" -j output_3gwan_rule
    -A zone_3gwan_output -j zone_3gwan_dest_ACCEPT
    -A zone_lan_dest_ACCEPT -o eth0 -j ACCEPT
    -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
    -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
    -A zone_lan_forward -m comment --comment "forwarding lan -> vpn" -j zone_vpn_dest_ACCEPT
    -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
    -A zone_lan_forward -j zone_lan_dest_ACCEPT
    -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
    -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
    -A zone_lan_input -j zone_lan_src_ACCEPT
    -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
    -A zone_lan_output -j zone_lan_dest_ACCEPT
    -A zone_lan_src_ACCEPT -i eth0 -j ACCEPT
    -A zone_vpn_dest_ACCEPT -o tun0 -j ACCEPT
    -A zone_vpn_forward -m comment --comment "user chain for forwarding" -j forwarding_vpn_rule
    -A zone_vpn_forward -m comment --comment "forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
    -A zone_vpn_forward -m comment --comment "forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
    -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
    -A zone_vpn_forward -j zone_vpn_dest_ACCEPT
    -A zone_vpn_input -m comment --comment "user chain for input" -j input_vpn_rule
    -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
    -A zone_vpn_input -j zone_vpn_src_ACCEPT
    -A zone_vpn_output -m comment --comment "user chain for output" -j output_vpn_rule
    -A zone_vpn_output -j zone_vpn_dest_ACCEPT
    -A zone_vpn_src_ACCEPT -i tun0 -j ACCEPT
    -A zone_wan_dest_ACCEPT -o eth1 -j ACCEPT
    -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
    -A zone_wan_forward -p esp -m comment --comment "@rule[7]" -j zone_lan_dest_ACCEPT
    -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "@rule[8]" -j zone_lan_dest_ACCEPT
    -A zone_wan_forward -m comment --comment "forwarding wan -> vpn" -j zone_vpn_dest_ACCEPT
    -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
    -A zone_wan_forward -j zone_wan_dest_ACCEPT
    -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
    -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
    -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
    -A zone_wan_input -p igmp -m comment --comment Allow-IGMP -j ACCEPT
    -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
    -A zone_wan_input -j zone_wan_src_REJECT
    -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
    -A zone_wan_output -j zone_wan_dest_ACCEPT
    -A zone_wan_src_REJECT -i eth1 -j reject

    How do I copy this to the broken turtle? 

     

    v4 Firmware iptables help

    in LAN Turtle

    Posted

    I have several LAN Turtles that I deploy to customer environments to perform vulnerability scans.

    I mainly use AutoSSH for my phone home and reverse SSH into the Turtle (failsafe); and OpenVPN for NAT into the client environment. 

    After I update one of my lanturtles to the lastest v4 firmware, it seems that my reverse NAT no longer works. I did some digging and found the v3 and v4 iptables are very different. the v4 is missing a statement regarding NAT. I dug and found that if I run "iptables -t nat -A POSTROUTING -j MASQUERADE"  after the OpenVPN connects then I can get into the client environment.  I need to know how to make this setting persistent in the IPTables config.

    I am not a linux guy so please go easy on me if this is super simple fix. 

×
×
  • Create New...