Firewall config for a static internet LAN subnet

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
Post Reply
burchbri
Regular
Regular
Posts: 44
Joined: Tue Oct 06, 2009 3:53 pm

Firewall config for a static internet LAN subnet

Post by burchbri » Sun Jan 10, 2010 12:05 pm

I have a solwise sar-600er running RouterTech_3.6.0D_20090922_2.91.1_AR7RD-4Ports_psbl_firmware.upgrade.img. I have statically configured the LAN for my internet-addressable subnet. The router's own LAN interface br0 has an address within this subnet, which all my internet-facing systems use as their default route. The adsl provider's dhcp server assigns my router's ppp address when the connection is made.

My pppoa setup does NOT have the NAT option set, because my LAN subnet is internet-addressable. My own internet-facing servers are individually firewalled, so the router firewall is turned off to permit internet access to them.

This firmware has the "Access Control" feature, so I have enabled it. All WAN access is turned off, while LAN Group 1 only has web and ssh services checked. I have NOT defined an IP access list.

I can see that the iptables queues for INPUT and FORWARD both have the ACCEPT policies, confirming that the firewall is not active.

When I try to ping the router's LAN interface from somewhere else on the internet, it works (as I expect).

When I telnet to the routerTech LAN address on port 80 from somewhere else on the internet, I get a connection from the web server. This is NOT what I want to happen - I don't want anyone out there hacking my router's configuration. However, this behaviour sort-of makes sense because my configuration permits internet access to my LAN subnet and the web server is permitted to listen on that interface.

I have played around with the access control setup, and also with the ip filters, but they don't seem to be appropriate to my requirements.

I have coded three simple firewall rules and put them in the environment so they are executed each time the router boots:

Code: Select all

setenv RT_cmd_1 "iptables -A INPUT -s xxx.xxx.xxx.xxx/255.255.255.yyy -j ACCEPT"
setenv RT_cmd_2 "iptables -A INPUT -s 0/0 -p icmp -j ACCEPT"
setenv RT_cmd_3 "iptables -P INPUT DROP"
This change seems to achieve my basic objective of protecting the router itself. Users on the internet can still access my individual servers because the router FORWARD queue still has the default policy of ACCEPT.

I looked at the setenv autoexecX.sh mechanism, but couldn't see how to write my own fancy shell script and then store it to flash memory - unless I built my own firmware image.

Do you think my current solution is the best way to achieve my objectives? How many RT_cmd_x environment variables can I assign before I run out? Should I be stacking several iptables commands into one RT_cmd variable? What is the max size of one of these variables?
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Firewall config for a static internet LAN subnet

Post by thechief » Sun Jan 10, 2010 12:55 pm

I am not a networking expert, so I can't comment on many of the things that you've raised - but I will comment on what I can
burchbri wrote:When I telnet to the routerTech LAN address on port 80 from somewhere else on the internet, I get a connection from the web server. This is NOT what I want to happen - I don't want anyone out there hacking my router's configuration.
Are you sure you're connecting from outside the LAN? This seems like the typical "no local NAT problem".
burchbri wrote:I looked at the setenv autoexecX.sh mechanism, but couldn't see how to write my own fancy shell script and then store it to flash memory - unless I built my own firmware image.
You can create a minix partition and store your script there.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
burchbri
Regular
Regular
Posts: 44
Joined: Tue Oct 06, 2009 3:53 pm

Re: Firewall config for a static internet LAN subnet

Post by burchbri » Sun Jan 10, 2010 4:15 pm

thechief wrote:I am not a networking expert, so I can't comment on many of the things that you've raised - but I will comment on what I can
burchbri wrote:When I telnet to the routerTech LAN address on port 80 from somewhere else on the internet, I get a connection from the web server. This is NOT what I want to happen - I don't want anyone out there hacking my router's configuration.
Are you sure you're connecting from outside the LAN? This seems like the typical "no local NAT problem".
Thanks for your help... I'm new to RouterTech and don't know much, so I'm trying to learn without asking too many stupid questions.

Yes, I am sure. I tested when staying with a friend who lives at the other end of the country. Also, I am admin for a couple of SourceForge projects, so I can ssh to a shell on their servers and then poke my own systems from "over there".

Do you basically agree with my analysis? I understand why you might refer to my symptoms as a "no local NAT problem" - the only way you can work with NAT turned off is to have an internet-addressable subnet assigned to the ppp router's LAN interface. The LAN subnet must either be internet-addressable or NAT-ed (the third alternative creates a simple black hole - rather pointless in practice!) Given that in my case anyone can address the LAN, it makes sense that the access control mechanism allowing access from the LAN basically does just that... I'm just puzzled that I don't see any relevant iptables rules and /etc/config.xml and /proc/ticfg/env don't appear to contain destination-interface-related rules. (Is this another one of those "its in the core logic" issues?)
thechief wrote:
burchbri wrote:I looked at the setenv autoexecX.sh mechanism, but couldn't see how to write my own fancy shell script and then store it to flash memory - unless I built my own firmware image.
You can create a minix partition and store your script there.
That is interesting... I have stumbled over some posts on this subject, but hadn't realised they were talking about creating a partition on flash memory to use a non-volatile file system which wasn't part of the firmware image.

I'll bear it mind for future research, but I have more work to do with my iptables at the moment - could you please quickly comment on my earlier questions about possible limitations with the RT_cmd_x mechanism? (if the answer is rtfm, I would be very grateful for a hint)
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Firewall config for a static internet LAN subnet

Post by thechief » Sun Jan 10, 2010 5:03 pm

The stuff about NAT, etc., is all gobbledegook to me. I only intervened with "no local NAT" because what you described was a typical example of the problems that surface when local NAT is not enabled. This can be enabled with "/usr/local/bin/localnat.sh". Have a look at it. It will make more sense to you than it makes to me.

With regard to RT_cmd_x, you can have as many as your bootloader env will permit. The env space is 10kb. For the adam2 bootloader, it has a simple structure: 80 variables of 128 bytes each. For the psp bootloader, it is more complex - i.e., the lengths and numbers of variables don't seem to be fixed, and are sized/resized dynamically. That means that it is anyone's guess when the env will become full. The good news is that the psp bootloader is very good at recovering from "env full" situations and from fragmentation of the env. Adam2 is pretty bad at both of these.

As for all the iptables stuff, you'll need to look at all the various scripts. The rest is up to the core logic. And, as you know, that is closed source.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: Firewall config for a static internet LAN subnet

Post by mstombs » Sun Jan 10, 2010 5:20 pm

You may have a problem with iptables rules for the WAN using RT_cmd_x functions because the ppp0 interface may not exist until the DSL connects. It may be better to hook into the ppp_ip_up script or OnConnect WAN.

I'm still surprised the firewall not set up correctly in "no-nat" setup as it should be a standard connect method - but you are not the first to report this

Perhaps you could take up "Chronos" offer of documenting his, possibly similar? setup

viewtopic.php?p=41473#p41473

As you obviously have other capable machnes on your LAN you can use wget to download a script to the ram disk on boot up, or you could execute a script using /cifs.
burchbri
Regular
Regular
Posts: 44
Joined: Tue Oct 06, 2009 3:53 pm

Re: Firewall config for a static internet LAN subnet

Post by burchbri » Sun Jan 10, 2010 5:45 pm

thechief wrote:The stuff about NAT, etc., is all gobbledegook to me. I only intervened with "no local NAT" because what you described was a typical example of the problems that surface when local NAT is not enabled. This can be enabled with "/usr/local/bin/localnat.sh". Have a look at it. It will make more sense to you than it makes to me.
Sorry! I didn't mean to show off. localnat.sh is not mentioned in "extra command line tools" and I hadn't trawled the directory since upgrading the firmware. I've certainly been put in my place... I can see this script is working in the same general area as me, but it will take me a while to unravel it and see if it does what I need more elegantly.
thechief wrote:With regard to RT_cmd_x, you can have as many as your bootloader env will permit. The env space is 10kb. For the adam2 bootloader, it has a simple structure: 80 variables of 128 bytes each. For the psp bootloader, it is more complex - i.e., the lengths and numbers of variables don't seem to be fixed, and are sized/resized dynamically. That means that it is anyone's guess when the env will become full. The good news is that the psp bootloader is very good at recovering from "env full" situations and from fragmentation of the env. Adam2 is pretty bad at both of these.
I'm lucky, then, because my routers have the psp bootloader.

Thanks very much for your help and advice. I have plenty to work with now, so I'll drop this thread (unless something interesting and relevant turns up later).
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Firewall config for a static internet LAN subnet

Post by thechief » Sun Jan 10, 2010 9:01 pm

burchbri wrote:Sorry! I didn't mean to show off. localnat.sh is not mentioned in "extra command line tools" and I hadn't trawled the directory since upgrading the firmware. I've certainly been put in my place
Not at all. My lack of networking expertise says nothing about you ;)
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
burchbri
Regular
Regular
Posts: 44
Joined: Tue Oct 06, 2009 3:53 pm

Re: Firewall config for a static internet LAN subnet

Post by burchbri » Sat Jan 16, 2010 5:51 pm

mstombs wrote:You may have a problem with iptables rules for the WAN using RT_cmd_x functions because the ppp0 interface may not exist until the DSL connects. It may be better to hook into the ppp_ip_up script or OnConnect WAN.

I'm still surprised the firewall not set up correctly in "no-nat" setup as it should be a standard connect method - but you are not the first to report this
Just to make this clear in case someone else finds this thread when looking for help.... my adsl service provider has reserved me a static internet-addressable subnet because I have my own domain and multiple servers. I assign this subnet to the routerTech LAN, with one of these addresses assigned to the router's ethernet interface (actually it gets assigned to br0). This means every one of these addresses is theoretically accessible from the internet. My adsl provider's ppp-dhcp server also assigns another address to the router's pppoa interface (in a "standard ppp" /4 subnet which might or might not be internet-addressable).

The access control feature works at the granularity of an interface, so if I want to get to the router via web gui or telnet from my own systems (of course I do!), I must permit LAN access. I could create an ip access list to permit only my hosts and therefore block the internet, but I chose to work with my own iptables instead.

Because I have a static internet subnet, I don't need to worry about the state of the ppp link. I can write my iptables rules against my own ip addresses, which never change. The ppp link can go down and up, but my rules persist and continue to apply because they don't reference any of the interfaces. (Obviously, this wouldn't be any use to someone assigned a dynamic ppp ip address, but then wouldn't they be required to work with NAT?)
mstombs wrote:Perhaps you could take up "Chronos" offer of documenting his, possibly similar? setup

viewtopic.php?p=41473#p41473

As you obviously have other capable machnes on your LAN you can use wget to download a script to the ram disk on boot up, or you could execute a script using /cifs.
Chronos' post is relevant and very interesting for me, but his requirements seem to be different to mine. I am not bridging - I am routing between my ppp0 and br0 interfaces, both of which have mutually-addressable ip addresses (that's why I don't need to use nat).

His comments about wanting his own minix partition to store his scripts are helpful too. I am slightly concerned about maintenance of my growing set of RT_cmd environment variables as I add more sophisticated rules, so I might need to to go that way eventually. I feel that my router needs to boot directly into secure mode without external help from people or other machines.
burchbri
Regular
Regular
Posts: 44
Joined: Tue Oct 06, 2009 3:53 pm

Re: Firewall config for a static internet LAN subnet

Post by burchbri » Sat Jan 16, 2010 6:14 pm

thechief wrote:This can be enabled with "/usr/local/bin/localnat.sh". Have a look at it. It will make more sense to you than it makes to me.
I've looked at the script, and also the link it references - http://www.netfilter.org/documentation/ ... TO-10.html. It seems to be addressing a subtle NAT issue that isn't relevant to my situation. It applies to the case where NAT is used, but without an inside DNS server. Inside clients and outside clients both use the internet name system to resolve a service which is port-forwarded to a server on the inside. localnat.sh sets up nat rules to enable the inside clients to resolve the server name on the outside dns, but still access the service on the same inside address space.

All I can say is that I'm impressed. I solved this particular problem the old fashioned way - I have inside and outside dns servers that resolve the same services to the same systems, but within their respective addressing contexts. You need more resources, but don't have to be so clever!
anindeeta
Newbie
Newbie
Posts: 1
Joined: Sat Feb 13, 2010 11:18 am

Re: Firewall config for a static internet LAN subnet

Post by anindeeta » Wed Feb 17, 2010 7:35 am

What should a laptop's firewall settings be to allow to it access the internet? In our WiFi network, some laptops are unable to access the internet while others can. Assuming that certain laptops are unable to connect due to a firewall setting, how do I configure the laptops to allow them to go online?
Last edited by anindeeta on Sat Feb 20, 2010 8:38 am, edited 1 time in total.
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Firewall config for a static internet LAN subnet

Post by thechief » Wed Feb 17, 2010 9:51 am

anindeeta wrote:What should a laptop's firewall settings be to allow to it access the internet? In our WiFi network, some laptops are unable to access the internet while others can. Assuming that certain laptops are unable to connect due to a firewall setting, how do I configure the laptops to allow them to go online?
I think this is most likely a case of network misconfiguration on the laptops that have problems. It would have nothing to do with firewall settings.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
burchbri
Regular
Regular
Posts: 44
Joined: Tue Oct 06, 2009 3:53 pm

Re: Firewall config for a static internet LAN subnet

Post by burchbri » Fri Feb 26, 2010 5:53 pm

thechief wrote:With regard to RT_cmd_x, you can have as many as your bootloader env will permit. The env space is 10kb. For the adam2 bootloader, it has a simple structure: 80 variables of 128 bytes each. For the psp bootloader, it is more complex - i.e., the lengths and numbers of variables don't seem to be fixed, and are sized/resized dynamically. That means that it is anyone's guess when the env will become full. The good news is that the psp bootloader is very good at recovering from "env full" situations and from fragmentation of the env. Adam2 is pretty bad at both of these.
I thought it would be useful to make a couple of observations, now that I've implemented my firewall rules with RT_cmd_xx variables...

1. I couldn't get multiple commands executed as a single variable when I chained them together with double-ampersands (meaning only run this command if the previous one returned rc==0). When I chained the commands, only the first one was executed. I did not experiment with semi-colon chaining, so I don't know if that would have worked instead.

2. If you need the commands to run in a specific order, you must be careful with the names that you choose to avoid unexpected sequencing errors. i.e. if you have more than nine variables, make sure the first nine are called things like RT_cmd_01 (because RT_cmd_1 would sort just before RT_cmd_10 and spoil the intended sequence).

3. There seems to be a limitation with the psp boot loader... an individual variable cannot be longer than approx 128 bytes (setenv fails with a segmentation exception). I didn't experiment to discover the exact limit.

4. If (when) you need to update an individual variable, the getenv command will list the changed ones after the unchanged ones. There is no need to worry (or defragment the variables), because the RT_cmd_xx variables will still be processed in the intended order.

5. My rules require 32 variables and they were all accepted and executed sucessfully.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: Firewall config for a static internet LAN subnet

Post by mstombs » Fri Feb 26, 2010 10:18 pm

Wow - 32 commands! You do realize a minix partition is created on the router itself and you can store a shell script?
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Firewall config for a static internet LAN subnet

Post by thechief » Fri Feb 26, 2010 11:12 pm

burchbri wrote:2. If you need the commands to run in a specific order, you must be careful with the names that you choose to avoid unexpected sequencing errors. i.e. if you have more than nine variables, make sure the first nine are called things like RT_cmd_01 (because RT_cmd_1 would sort just before RT_cmd_10 and spoil the intended sequence).
Or RT_cmd_A, B, C, D, E, etc.
burchbri wrote:3. There seems to be a limitation with the psp boot loader... an individual variable cannot be longer than approx 128 bytes (setenv fails with a segmentation exception). I didn't experiment to discover the exact limit.
128 bytes.
burchbri wrote:4. If (when) you need to update an individual variable, the getenv command will list the changed ones after the unchanged ones.
It lists them in the order in which they are found. If you want it sorted, you can pipe the output to "sort".
burchbri wrote:There is no need to worry (or defragment the variables), because the RT_cmd_xx variables will still be processed in the intended order.
Yes. It is because they are sorted before execution. The itself environment would be quite fragmented after creating so many variables.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
Post Reply