show full output of:
PHP Code:
cat /tmp/filter_rules
iptables-save -t filter
Printable View
show full output of:
PHP Code:
cat /tmp/filter_rules
iptables-save -t filter
Code:[root@WL-500gpv2 root]$ cat /tmp/filter_rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A SECURITY -p tcp --syn -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
-A SECURITY -p udp -m limit --limit 5/s -j RETURN
-A SECURITY -p icmp -m limit --limit 5/s -j RETURN
-A SECURITY -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o vlan1 ! -i br0 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
Code:[root@WL-500gpv2 root]$ iptables-save -t filter
# Generated by iptables-save v1.2.7a on Tue Mar 17 11:19:54 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [50:2400]
:OUTPUT ACCEPT [1784:622885]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent recent: seconds: 1701970168 hit_count: 1953391971 name: side: source
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent recent: seconds: 1701970168 hit_count: 1953391971 name: side: source -j DROP
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 65100:65150 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o vlan1 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Tue Mar 17 11:19:54 2009
these lines:
should be in the beginning of the INPUT chain.Quote:
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
Just a guess: at the moment you accept INVALID packets ==> the results can be unpredictable.
Thank you Al! I re-ordered iptables rules as you say. I'll see the rezult.
But what is with those cryptic numbers in the iptables-save command? Cause it seems that they aren't counters - what are those numbers in the INPUT-recent chain?
I tryied UPnP experience and I'm glad to share it with you.
First, I'm sorry Al, that I said that UPnP service does not work with 1.9.2.7-10.7 firmware. It works.
First we have to assure that UPnP service is installed and is working under Windows: http://support.microsoft.com/kb/941206
Second there are only few utilities to command router port forwarding from Windows. I tried about 5 of them an no one works except of this: http://www.codeproject.com/KB/IP/PortForward.aspx
...but the download link from the above site is broken :), so I found it and put it here in attach.
I hope you are satisfied with this! :)
Al, I studied how UPnp insert rules in VSERVER chain and in FORWARD chain. So, in FORWARD chain rules are added on top of rules to drop invalid packets and let RELATED, ESTABILISHED traffic, so .... I think here may be a source of errors on forwarding ports. I did not experienced errors, but, again, as you say above, INVALID packets could traverse FORWARD chain through UPnP forwarded ports.
Solution is as UPnP to trigger commands like:
or, for flexibility to target a predefined "UPnP" chain. But I do not know how to modify this ...Code:iptables -I FORWARD 4 -p tcp -m tcp --dport port_num -j ACCEPT
We do not even need to accept forwarding (through FORWARD chain) UPnP ports cause we have in firewall:and so, DNAT-ed packets from VSERVER chain are already accepted through forwarding chain. ...But, it seems that this conntrack rule is not working. Maybe, because ip_conntrack.o module is missing?Code:-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
I'm back cause I do not understand why there is no ending FORWARD rule to:
This is a security hole!!!Code:iptables -A FORWARD -j DROP
i change port on ftp "1021" and when i try to connect it give that errorCode:PORT COMMAND FAILED! 500 Illegal port COMMAND
how can i fix it?
What is wrong????Code:[TheCrow@WL-001FC6D7E6E7 root]$ lsmod
Tainted: P
usb-storage 63312 3
sd_mod 12660 6
scsi_mod 72624 2 [usb-storage sd_mod]
videodev 8752 0 (unused)
audio 47176 0 (unused)
soundcore 4920 0 [audio]
printer 12964 0 (unused)
ehci-hcd 22916 0 (unused)
usb-ohci 19412 0 (unused)
usbcore 76112 1 [usb-storage audio printer ehci-hcd usb-ohci]
ip_nat_ftp 3136 0 (unused)
ip_conntrack_ftp 4584 2
wl 897336 0 (unused)
et 29024 0 (unused)
[TheCrow@WL-001FC6D7E6E7 root]$
I don't know the answer for your question Crow, cause I have disabled ftp in web page and I installed another ftp server (for now is pure-ftpd).
But, I have a question too, related to ftp. Is there a way (optware package) to use disck quota? Cause I want to ftp running user (ftpuser) limit disk usage.
Pure-ftpd has disq quota for every user, but I'd like to apply quota for all ftp users group.
sry....i dont know....
try to connect in passive modeQuote:
PORT COMMAND FAILED! 500 Illegal port COMMAND
Does anybody have working SANE? I would appreciate any help on this...thanx for any advice or link to an advice..;-)
Use swapon / swapoff:Quote:
Originally Posted by darius by PM
wengiCode:[admin@blechbuechse root]$ swapoff /dev/discs/disc0/part1
[admin@blechbuechse root]$ free
total used free shared buffers cached
Mem: 13964 13448 516 0 1548 7336
-/+ buffers/cache: 4564 9400
Swap: 0 0 0
[admin@blechbuechse root]$ swapon /dev/discs/disc0/part1
[admin@blechbuechse root]$ free
total used free shared buffers cached
Mem: 13964 13696 268 0 1548 7336
-/+ buffers/cache: 4812 9152
Swap: 500432 0 500432
Hi,
I am back, as the problem persists.
My router No.1 worked fine , Olegs firmware,
applications installed on usb 4GB stick
and part2 /opt mounted regularly, part1 was on.
I reflashed it with Koppel for cellular modem support.
And part1 stopped to be swap-on, /opt directory is empty
I insert the same usb stick into my No.2 router
and part1 swap is on, /part2 /opt is mounted and I can run applications.
I can swapon on router No.1 and it works.
Unfortunately /opt directory is empty, so no preinstalled applications to run.
I discover the problem with putty when
ssh telnet session is closed immediately for router No.1
As I use the same system hdd stick on both routers,
what can be done to have
part1 swap-on and part2 /opt mounted on router No.1 on boot ?
As you can see, swap was off
so I followed your great tutorial
mkswap
swapon
Code:[admin@aa /opt]$ free
total used free shared buffers
Mem: 30324 14264 16060 0 1772
Swap: 0 0 0
Total: 30324 14264 16060
[admin@aa /opt]$ mkswap /dev/discs/disc0/part1
Setting up swapspace version 1, size = 534499328 bytes
[admin@aa /opt]$ free
total used free shared buffers
Mem: 30324 14272 16052 0 1772
Swap: 0 0 0
Total: 30324 14272 16052
[admin@aa /opt]$ swapon /dev/discs/disc0/part1
[admin@aa /opt]$ free
total used free shared buffers
Mem: 30324 14532 15792 0 1772
Swap: 521968 0 521968
Total: 552292 14532 537760
[admin@aa /opt]$ free
total used free shared buffers
Mem: 30324 14532 15792 0 1772
Swap: 521968 0 521968
Total: 552292 14532 537760
[admin@aa /opt]$
edited once again (was empty)Code:
[admin@aa root]$ ls
[admin@aa root]$ cd /
[admin@aa /]$ cd /opt
[admin@aa /opt]$ ls
[admin@aa /opt]$ mount
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/discs/disc0/part2 on /tmp/mnt/disc0_2 type ext3 (rw,noatime)
/dev/discs/disc0/part3 on /tmp/mnt/disc0_3 type ext3 (rw,noatime)
[admin@aa /opt]$ free
total used free shared buffers
Mem: 30324 14256 16068 0 1772
Swap: 0 0 0
Total: 30324 14256 16068
[admin@aa /opt]$ fdisk -l
Disk /dev/scsi/host0/bus0/target0/lun0/disc: 4009 MB, 4009754624 bytes
145 heads, 48 sectors/track, 1125 cylinders
Units = cylinders of 6960 * 512 = 3563520 bytes
Device Boot Start End Blocks Id System
/dev/scsi/host0/bus0/target0/lun0/part1 1 150 521976 82 Linux swap
/dev/scsi/host0/bus0/target0/lun0/part2 151 500 1218000 83 Linux
/dev/scsi/host0/bus0/target0/lun0/part3 501 1125 2175000 83 Linux
[admin@aa /opt]$ df -l
df: illegal option -- l
BusyBox v1.1.3 (2008.04.25-08:17+0000) multi-call binary
Usage: df [-hmk] [FILESYSTEM ...]
[admin@aa /opt]$ df -l
df: illegal option -- l
BusyBox v1.1.3 (2008.04.25-08:17+0000) multi-call binary
Usage: df [-hmk] [FILESYSTEM ...]
vi /etc/fstab
echo "/etc/fstab" >> /usr/local/.files
edited pre-mount
vi /usr/local/sbin/pre-mount
and on reboot
flashfs save && flashfs commit && flashfs enable && reboot
======
So it works fine.Code:
[admin@aa root]$ mount
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/discs/disc0/part2 on /opt type ext3 (rw,noatime)
/dev/discs/disc0/part3 on /tmp/mnt/disc0_3 type ext3 (rw,noatime)
[admin@aa root]$ free
total used free shared buffers cached
Mem: 30324 17492 12832 0 1864 8476
-/+ buffers/cache: 7152 23172
Swap: 521968 0 521968
[admin@aa root]$
run mc
and clicking on arrow keys generates the following
AAAABBBBAAAAACCCCCDDDDAABBDDCCCDDABBBBBBBBACCDABD B
Ok. Closed putty session as there was no other way to press F10 for
mc exit
and get command line back
Opened new putty session
and arrows don't work in mc
so no way to use mc.
Any idea, any solution ?
Darius