Hi Oleg,
Thanks again for your time.
Code:
[admin@wl500g root]$ cat /tmp/filter_rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A SECURITY -p tcp --syn -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETUR N
-A SECURITY -p udp -m limit --limit 5/s -j RETURN
-A SECURITY -p icmp -m limit --limit 5/s -j RETURN
-A SECURITY -j logdrop
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state NEW -j SECURITY
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o eth1 ! -i br0 -j logdrop
-A FORWARD ! -i br0 -m state --state NEW -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j logdrop
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequen ce --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence - -log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
Code:
[admin@wl500g root]$ cat /usr/local/sbin/post-firewall
#!/bin/sh
logger -t iptables -p user.notice "Running post-firewall script"
iptables -I INPUT 6 -i "$1" -s xxxxxx-d "$2" -p tcp --syn --dport 22 -j logaccept
iptables -R INPUT 7 -i "$1" -d "$2" -p tcp --syn --dport 21 -j logaccept
iptables -t nat -A PREROUTING -i "$1" -p tcp --dport 8080 -j DROP
iptables -t nat -A VSERVER -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -I INPUT 8 -i "$1" -d "$2" -p tcp --syn --dport 8080 -j ACCEPT
iptables -I INPUT 8 -i "$1" -d 255.255.255.255 -p udp --sport 68 --dport 67 -j DROP
iptables -I INPUT 8 -i "$1" -d 255.255.255.255 -p udp --sport 67 --dport 68 -j DROP
iptables -I INPUT 6 -i "$1" -s yyyyyy -d "$2" -p tcp --syn --dport 22 -j logaccept
iptables -I SECURITY -i "$1" -d "$2" -p tcp --syn --dport 8080 -j RETURN
if [ -f /etc/blacklist ]; then
awk '{ print "iptables -I SECURITY -s " $1 " -j logdrop" }' /etc/blacklist | /bin/sh
fi
iptables -P INPUT DROP
(some adresses censored by me)
The /etc/blacklist blocks out certain ip ranges which has has been known for trying to doing bruteforce attacks against my machine:
Code:
[admin@wl500g root]$ cat /etc/blacklist
60.0.0.0/8
61.0.0.0/8
66.150.0.0/15
81.29.229.1
85.255.112.0/14
133.0.0.0/8
155.158.0.0/16
193.86.0.0/16
202.0.0.0/8
203.0.0.0/8
204.16.208.0/22
218.0.0.0/8
219.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8
Yes, you're line seems to be there in /tmp/filter_rules. However I've accidently overwrite it in the post-firewall script. My mistake.
However, doesn't the fact that a SIGUSR signal seems to kick the udhcpc process back to normal indicate that it's not a firewall problem?
Anyway, I'll update/disable my post-firewall too see if it solves the problem.
Hopefully this was all due to my bad post-firewall settings. I'll post an update to verify this later when it has run for a while.