SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > Wireless Networking > ASUS Wireless > Asuswrt-Merlin

Reply
 
Thread Tools Search this Thread Display Modes
  #11  
Old 12-27-2012, 12:01 PM
f41thr f41thr is offline
New Member
 
Join Date: Dec 2012
Posts: 5
Thanks: 3
Thanked 1 Time in 1 Post
f41thr is just starting out
Default Update

Confirmed: ASUS RT-N16 works fine with Merlin Firmware.
Might have some issue I'll report later.

With support from Protubus, we made AICCU integration.
After a few mails between Protubus and me I finally made it. And I have some recommendations on FW security. See script below.
(Manual load of contrack and logging). This is not the final one, a more sophisticated will be made availiabel later this month.

Following my experience with pf on OpenBSD, it can be simplified later on! Even with ip6tables!

So primarily thank to Merlin for the Merlin Firmware of ASUS Routers and then to Protubus for the AICCU integration.

cu F41THR

Quote:
#!/bin/sh
echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
aiccu start /jffs/configs/aiccu.conf
ifconfig br0 2001:XXXX:XXXX::1/64
radvd -C /jffs/configs/radvd.conf -u admin

#
# !!!!! load conntrack manuell
#
insmod /lib/modules/2.6.22.19/kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko

# Definitions
IP6TABLES='/usr/sbin/ip6tables'

WAN_IF='sixxs'
LAN_IF='br0'

SUBNETPREFIX='2001:4dd0:ff00:8ab8::/48'
MYTUNNEL='2001:4dd0:ff00:ab8::2'
SIXXSTUNNEL='2001:4dd0:ff00:ab8::1'


$IP6TABLES -F INPUT
$IP6TABLES -F OUTPUT
$IP6TABLES -F FORWARD

$IP6TABLES -F
$IP6TABLES -X

# DROP all incomming traffic
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP

# Filter all packets that have RH0 headers:
$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
$IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP
$IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP

# Allow anything on the local link
$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
$IP6TABLES -A OUTPUT -o $WAN_IF -j ACCEPT
# Allow established, related packets back in
#ip6tables -A INPUT -i sixxs -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the localnet access us:
$IP6TABLES -A INPUT -i $LAN_IF -j ACCEPT
$IP6TABLES -A OUTPUT -o $LAN_IF -j ACCEPT

# Allow Link-Local addresses
$IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT
$IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
$IP6TABLES -A INPUT -d ff00::/8 -j ACCEPT
$IP6TABLES -A OUTPUT -d ff00::/8 -j ACCEPT

# Paranoia on ipv6 interface
$IP6TABLES -I INPUT -i $WAN_IF -p tcp --syn -j DROP
$IP6TABLES -I FORWARD -i $WAN_IF -p tcp --syn -j DROP
$IP6TABLES -I INPUT -i $WAN_IF -p udp -j DROP
$IP6TABLES -I FORWARD -i $WAN_IF -p udp -j DROP

# Allow forwarding on ipv6 interface
$IP6TABLES -A FORWARD -m state --state NEW -i $LAN_IF -o $WAN_IF -s $SUBNETPREFIX -j ACCEPT
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
$IP6TABLES -N AllowICMPs
# Destination unreachable
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
$IP6TABLES -A INPUT -p icmpv6 -s $SIXXSTUNNEL -d $MYTUNNEL -j AllowICMPs

# SSH in
##$IP6TABLES -A FORWARD -i sixxs -p tcp -d <subnet-prefix>::5 --dport 22 -j ACCEPT

# Log
$IP6TABLES -A INPUT -j LOG --log-prefix "IPv6-INPUT:"
$IP6TABLES -A FORWARD -j LOG --log-prefix "IPv6-FORWARD:"
$IP6TABLES -A OUTPUT -j LOG --log-prefix "IPv6-OUTPUT:"
Replace

SUBNETPREFIX='your-prefix/48'
MYTUNNEL='see Your IPv6 on SIXXS'
SIXXSTUNNEL='see Pop IPv6 on SIXXS'

with your settings.

Last edited by f41thr; 12-29-2012 at 04:44 PM. Reason: Update FW script part (minor corrections)
Reply With Quote
The Following User Says Thank You to f41thr For This Useful Post:
  #12  
Old 12-28-2012, 06:42 AM
probutus probutus is offline
New Member
 
Join Date: Dec 2012
Posts: 6
Thanks: 3
Thanked 3 Times in 3 Posts
probutus is just starting out
Default

I'm currently having a hell of a time with integrating aiccu into rc... RMerlin was absolutely right that this would be the "fun part"....

Is there a chance to configure the IPv4/IPv6 firewall rules via webinterface?
Starting and stopping aiccu is one thing but having a customizable firewall is another...
Reply With Quote
  #13  
Old 12-29-2012, 11:27 AM
f41thr f41thr is offline
New Member
 
Join Date: Dec 2012
Posts: 5
Thanks: 3
Thanked 1 Time in 1 Post
f41thr is just starting out
Smile

Quote:
Originally Posted by probutus View Post
I'm currently having a hell of a time with integrating aiccu into rc... RMerlin was absolutely right that this would be the "fun part"....

Is there a chance to configure the IPv4/IPv6 firewall rules via webinterface?
Starting and stopping aiccu is one thing but having a customizable firewall is another...
Maybe I'm completely wrong, but have a look at jffs. Custom scripts can be placed there. aiccu and ipv6 FW can be configured per ssh. An autolauncher during startup make sense but everything else can be handled per ssh.

This is similar with impementations on OpenWRT, DD-WRT, etc...
SIXXS and AICCU is not such popular that ie. vendors spend much effort to integrate this. Look at Manual Kaspers M0n0wall, there you have a full web based integration.

But to have a look at rc coud be interessting I start to look into that, too.
Some ideas on that:

It could be much easier to create and add a few handsome static scripts in
~/asuswrt-merlin/release/src-rt/router/rc/ to launch ie. aiccu, radvd and the firewall. Or one script launchig all together.

The related config files can be placed either in jffs or /mnt/sda1/etc/config/
Scripts check if a config file exist and will be fired up. So there is no need to place defaults in NVRAM.
A feasable place for scripts is /etc/rc.d/

Question is how a script can be integrated, but this is an option of the Makefile in ../router

I just have an deeper look into the ip6tables configuration and I'll place an updated version soon (see also SIXXS WIKI later on).



Regards

F41THR

Last edited by f41thr; 12-29-2012 at 12:37 PM.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 09:58 PM.


Top 10 Stats
Top Posters* Top Thanked
RMerlin  333
sm00thpapa  224
stevech  186
azazel1024  148
KGB7  134
htismaqe  88
jim769  82
philmiami  78
AcostaJA  69
ColinTaylor  59
RMerlin  5078
stevech  315
ryzhov_al  249
TeHashX  209
RogerSC  187
L&LD  186
joegreat  123
jlake  122
sfx2000  111
sinshiva  111
Most Viewed Threads* Hottest Threads*
Old ASUS RT-N66U...  23596
Old NETGEAR...  12932
Old Switched...  6883
Old 3.0.0.4.376.1...  6724
Old NEW RT-AC68R...  6443
Old ASUS...  5865
Old ASUS RTAC68U...  3468
Old Netgear...  3238
Old N66U daily...  2833
Old ASUS...  2764
Old ASUS RT-N66U...  169
Old NETGEAR...  161
Old Switched...  60
Old NEW RT-AC68R...  56
Old ASUS...  51
Old N66U daily...  47
Old ASUS RTAC68U...  41
Old Netgear...  41
Old Which router...  41
Old TP-Link...  38


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.