[Nottingham] iptables arguments

Mike Cardwell nlug at lists.grepular.com
Thu Nov 27 09:31:12 UTC 2014 

* on the Wed, Nov 26, 2014 at 10:21:35PM +0000, Jason Irwin wrote:

> Yesterday whilst arguing with the VPN, I discovered that whilst people on
> guest WiFi had no LAN access (intentional) they had unfettered access to
> the router admin, ssh etc. YIKES!
>
> So I went and checked the iptables rules. I'll be the first to admit that I
> struggle with networking, but I now have things fixed and am really
> confused as to what the problem was and why the fix works!
> 
> Old rules, sourced from
> http://www.alexlaird.com/2013/03/dd-wrt-guest-wireless/ :
>
> iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with \
>   tcp-reset
> iptables -I INPUT -i br1 -p tcp --dport ssh    -j REJECT --reject-with \
>   tcp-reset
> iptables -I INPUT -i br1 -p tcp --dport www    -j REJECT --reject-with \
>   tcp-reset
> iptables -I INPUT -i br1 -p tcp --dport https  -j REJECT --reject-with \
>   tcp-reset
>
> To my basic understanding these say "Anything coming in from br1 (guest >
> WiFi) on those four ports, tell it where to go in no uncertain terms.
> Implicitly everything else is OK".
>
> Yet jumping on to the router's web admin page was permitted. Whut?

Those rules mean that any traffic on ports 23, 22, 80 and 443 are blocked.
Everything else follows the default policy, which is probably accept.
Is the web admin interface on one of those 4 ports?

> New rules, sourced from
> http://www.stevejenkins.com/blog/2013/01/use-dd-wrt-to-create-a-guest-wifi-network-and-block-skype/
> :
> iptables -I INPUT -i br1 -m state --state NEW -j DROP
> iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
> iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
> iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
>
> This to me says "Deny everything from br1 that's going to the router,
> expect DHCP and DNS". Only confusion I have with these is the order,
> shouldn't the "DROP" be the last entry?

"iptables -I" inserts a rule at the beginning. "iptables -A" appends a rule
at the end. So if you run those 4 commands in that order, the list is the
reverse of what you think it is. "iptables -nvL" to see the rules that are
currently in use.

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20141127/8323b184/attachment.pgp>

More information about the Nottingham mailing list