SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > Wireless Networking > ASUS Wireless > Asuswrt-Merlin

Reply
 
Thread Tools Search this Thread Display Modes
  #11  
Old 12-27-2012, 12:01 PM
f41thr f41thr is offline
New Member
 
Join Date: Dec 2012
Posts: 5
Thanks: 3
Thanked 1 Time in 1 Post
f41thr is just starting out
Default Update

Confirmed: ASUS RT-N16 works fine with Merlin Firmware.
Might have some issue I'll report later.

With support from Protubus, we made AICCU integration.
After a few mails between Protubus and me I finally made it. And I have some recommendations on FW security. See script below.
(Manual load of contrack and logging). This is not the final one, a more sophisticated will be made availiabel later this month.

Following my experience with pf on OpenBSD, it can be simplified later on! Even with ip6tables!

So primarily thank to Merlin for the Merlin Firmware of ASUS Routers and then to Protubus for the AICCU integration.

cu F41THR

Quote:
#!/bin/sh
echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
aiccu start /jffs/configs/aiccu.conf
ifconfig br0 2001:XXXX:XXXX::1/64
radvd -C /jffs/configs/radvd.conf -u admin

#
# !!!!! load conntrack manuell
#
insmod /lib/modules/2.6.22.19/kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko

# Definitions
IP6TABLES='/usr/sbin/ip6tables'

WAN_IF='sixxs'
LAN_IF='br0'

SUBNETPREFIX='2001:4dd0:ff00:8ab8::/48'
MYTUNNEL='2001:4dd0:ff00:ab8::2'
SIXXSTUNNEL='2001:4dd0:ff00:ab8::1'


$IP6TABLES -F INPUT
$IP6TABLES -F OUTPUT
$IP6TABLES -F FORWARD

$IP6TABLES -F
$IP6TABLES -X

# DROP all incomming traffic
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP

# Filter all packets that have RH0 headers:
$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
$IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP
$IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP

# Allow anything on the local link
$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
$IP6TABLES -A OUTPUT -o $WAN_IF -j ACCEPT
# Allow established, related packets back in
#ip6tables -A INPUT -i sixxs -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the localnet access us:
$IP6TABLES -A INPUT -i $LAN_IF -j ACCEPT
$IP6TABLES -A OUTPUT -o $LAN_IF -j ACCEPT

# Allow Link-Local addresses
$IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT
$IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
$IP6TABLES -A INPUT -d ff00::/8 -j ACCEPT
$IP6TABLES -A OUTPUT -d ff00::/8 -j ACCEPT

# Paranoia on ipv6 interface
$IP6TABLES -I INPUT -i $WAN_IF -p tcp --syn -j DROP
$IP6TABLES -I FORWARD -i $WAN_IF -p tcp --syn -j DROP
$IP6TABLES -I INPUT -i $WAN_IF -p udp -j DROP
$IP6TABLES -I FORWARD -i $WAN_IF -p udp -j DROP

# Allow forwarding on ipv6 interface
$IP6TABLES -A FORWARD -m state --state NEW -i $LAN_IF -o $WAN_IF -s $SUBNETPREFIX -j ACCEPT
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
$IP6TABLES -N AllowICMPs
# Destination unreachable
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
$IP6TABLES -A INPUT -p icmpv6 -s $SIXXSTUNNEL -d $MYTUNNEL -j AllowICMPs

# SSH in
##$IP6TABLES -A FORWARD -i sixxs -p tcp -d <subnet-prefix>::5 --dport 22 -j ACCEPT

# Log
$IP6TABLES -A INPUT -j LOG --log-prefix "IPv6-INPUT:"
$IP6TABLES -A FORWARD -j LOG --log-prefix "IPv6-FORWARD:"
$IP6TABLES -A OUTPUT -j LOG --log-prefix "IPv6-OUTPUT:"
Replace

SUBNETPREFIX='your-prefix/48'
MYTUNNEL='see Your IPv6 on SIXXS'
SIXXSTUNNEL='see Pop IPv6 on SIXXS'

with your settings.

Last edited by f41thr; 12-29-2012 at 04:44 PM. Reason: Update FW script part (minor corrections)
Reply With Quote
The Following User Says Thank You to f41thr For This Useful Post:
  #12  
Old 12-28-2012, 06:42 AM
probutus probutus is offline
New Member
 
Join Date: Dec 2012
Posts: 6
Thanks: 3
Thanked 3 Times in 3 Posts
probutus is just starting out
Default

I'm currently having a hell of a time with integrating aiccu into rc... RMerlin was absolutely right that this would be the "fun part"....

Is there a chance to configure the IPv4/IPv6 firewall rules via webinterface?
Starting and stopping aiccu is one thing but having a customizable firewall is another...
Reply With Quote
  #13  
Old 12-29-2012, 11:27 AM
f41thr f41thr is offline
New Member
 
Join Date: Dec 2012
Posts: 5
Thanks: 3
Thanked 1 Time in 1 Post
f41thr is just starting out
Smile

Quote:
Originally Posted by probutus View Post
I'm currently having a hell of a time with integrating aiccu into rc... RMerlin was absolutely right that this would be the "fun part"....

Is there a chance to configure the IPv4/IPv6 firewall rules via webinterface?
Starting and stopping aiccu is one thing but having a customizable firewall is another...
Maybe I'm completely wrong, but have a look at jffs. Custom scripts can be placed there. aiccu and ipv6 FW can be configured per ssh. An autolauncher during startup make sense but everything else can be handled per ssh.

This is similar with impementations on OpenWRT, DD-WRT, etc...
SIXXS and AICCU is not such popular that ie. vendors spend much effort to integrate this. Look at Manual Kaspers M0n0wall, there you have a full web based integration.

But to have a look at rc coud be interessting I start to look into that, too.
Some ideas on that:

It could be much easier to create and add a few handsome static scripts in
~/asuswrt-merlin/release/src-rt/router/rc/ to launch ie. aiccu, radvd and the firewall. Or one script launchig all together.

The related config files can be placed either in jffs or /mnt/sda1/etc/config/
Scripts check if a config file exist and will be fired up. So there is no need to place defaults in NVRAM.
A feasable place for scripts is /etc/rc.d/

Question is how a script can be integrated, but this is an option of the Makefile in ../router

I just have an deeper look into the ip6tables configuration and I'll place an updated version soon (see also SIXXS WIKI later on).



Regards

F41THR

Last edited by f41thr; 12-29-2012 at 12:37 PM.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 05:54 PM.

Top 10 Stats
Top Posters* Top Thanked
RMerlin  408
stevech  158
thelonelycode...  147
L&LD  126
azazel1024  115
KGB7  89
jim769  82
DrTeeth  71
Adamm  64
speedingcheet...  61
RMerlin  4494
stevech  275
ryzhov_al  199
TeHashX  194
RogerSC  166
L&LD  163
joegreat  105
jlake  102
PrivateJoker  93
sinshiva  88
Most Viewed Threads* Hottest Threads*
Old Asuswrt-Merli...  32330
Old Asuswrt-Merli...  25943
Old ASUS...  22973
Old Beta Version...  17566
Old 'Heartbleed'...  14394
Old Linksys...  9648
Old Potential...  7967
Old Asus-Merlin...  7170
Old Groundhog...  6453
Old Linksys...  5959
Old Asuswrt-Merli...  220
Old Asuswrt-Merli...  193
Old Linksys...  148
Old ASUS...  125
Old Beta Version...  112
Old Potential...  98
Old Linksys...  79
Old Groundhog...  49
Old Asus router...  43
Old USB drive...  39



Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.