SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > Wireless Networking > ASUS Wireless > Asuswrt-Merlin

Reply
 
Thread Tools Search this Thread Display Modes
  #11  
Old 12-27-2012, 12:01 PM
f41thr f41thr is offline
New Member
 
Join Date: Dec 2012
Posts: 5
Thanks: 3
Thanked 1 Time in 1 Post
f41thr is just starting out
Default Update

Confirmed: ASUS RT-N16 works fine with Merlin Firmware.
Might have some issue I'll report later.

With support from Protubus, we made AICCU integration.
After a few mails between Protubus and me I finally made it. And I have some recommendations on FW security. See script below.
(Manual load of contrack and logging). This is not the final one, a more sophisticated will be made availiabel later this month.

Following my experience with pf on OpenBSD, it can be simplified later on! Even with ip6tables!

So primarily thank to Merlin for the Merlin Firmware of ASUS Routers and then to Protubus for the AICCU integration.

cu F41THR

Quote:
#!/bin/sh
echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
aiccu start /jffs/configs/aiccu.conf
ifconfig br0 2001:XXXX:XXXX::1/64
radvd -C /jffs/configs/radvd.conf -u admin

#
# !!!!! load conntrack manuell
#
insmod /lib/modules/2.6.22.19/kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko

# Definitions
IP6TABLES='/usr/sbin/ip6tables'

WAN_IF='sixxs'
LAN_IF='br0'

SUBNETPREFIX='2001:4dd0:ff00:8ab8::/48'
MYTUNNEL='2001:4dd0:ff00:ab8::2'
SIXXSTUNNEL='2001:4dd0:ff00:ab8::1'


$IP6TABLES -F INPUT
$IP6TABLES -F OUTPUT
$IP6TABLES -F FORWARD

$IP6TABLES -F
$IP6TABLES -X

# DROP all incomming traffic
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP

# Filter all packets that have RH0 headers:
$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
$IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP
$IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP

# Allow anything on the local link
$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
$IP6TABLES -A OUTPUT -o $WAN_IF -j ACCEPT
# Allow established, related packets back in
#ip6tables -A INPUT -i sixxs -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the localnet access us:
$IP6TABLES -A INPUT -i $LAN_IF -j ACCEPT
$IP6TABLES -A OUTPUT -o $LAN_IF -j ACCEPT

# Allow Link-Local addresses
$IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT
$IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
$IP6TABLES -A INPUT -d ff00::/8 -j ACCEPT
$IP6TABLES -A OUTPUT -d ff00::/8 -j ACCEPT

# Paranoia on ipv6 interface
$IP6TABLES -I INPUT -i $WAN_IF -p tcp --syn -j DROP
$IP6TABLES -I FORWARD -i $WAN_IF -p tcp --syn -j DROP
$IP6TABLES -I INPUT -i $WAN_IF -p udp -j DROP
$IP6TABLES -I FORWARD -i $WAN_IF -p udp -j DROP

# Allow forwarding on ipv6 interface
$IP6TABLES -A FORWARD -m state --state NEW -i $LAN_IF -o $WAN_IF -s $SUBNETPREFIX -j ACCEPT
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
$IP6TABLES -N AllowICMPs
# Destination unreachable
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
$IP6TABLES -A INPUT -p icmpv6 -s $SIXXSTUNNEL -d $MYTUNNEL -j AllowICMPs

# SSH in
##$IP6TABLES -A FORWARD -i sixxs -p tcp -d <subnet-prefix>::5 --dport 22 -j ACCEPT

# Log
$IP6TABLES -A INPUT -j LOG --log-prefix "IPv6-INPUT:"
$IP6TABLES -A FORWARD -j LOG --log-prefix "IPv6-FORWARD:"
$IP6TABLES -A OUTPUT -j LOG --log-prefix "IPv6-OUTPUT:"
Replace

SUBNETPREFIX='your-prefix/48'
MYTUNNEL='see Your IPv6 on SIXXS'
SIXXSTUNNEL='see Pop IPv6 on SIXXS'

with your settings.

Last edited by f41thr; 12-29-2012 at 04:44 PM. Reason: Update FW script part (minor corrections)
Reply With Quote
The Following User Says Thank You to f41thr For This Useful Post:
  #12  
Old 12-28-2012, 06:42 AM
probutus probutus is offline
New Member
 
Join Date: Dec 2012
Posts: 6
Thanks: 3
Thanked 3 Times in 3 Posts
probutus is just starting out
Default

I'm currently having a hell of a time with integrating aiccu into rc... RMerlin was absolutely right that this would be the "fun part"....

Is there a chance to configure the IPv4/IPv6 firewall rules via webinterface?
Starting and stopping aiccu is one thing but having a customizable firewall is another...
Reply With Quote
  #13  
Old 12-29-2012, 11:27 AM
f41thr f41thr is offline
New Member
 
Join Date: Dec 2012
Posts: 5
Thanks: 3
Thanked 1 Time in 1 Post
f41thr is just starting out
Smile

Quote:
Originally Posted by probutus View Post
I'm currently having a hell of a time with integrating aiccu into rc... RMerlin was absolutely right that this would be the "fun part"....

Is there a chance to configure the IPv4/IPv6 firewall rules via webinterface?
Starting and stopping aiccu is one thing but having a customizable firewall is another...
Maybe I'm completely wrong, but have a look at jffs. Custom scripts can be placed there. aiccu and ipv6 FW can be configured per ssh. An autolauncher during startup make sense but everything else can be handled per ssh.

This is similar with impementations on OpenWRT, DD-WRT, etc...
SIXXS and AICCU is not such popular that ie. vendors spend much effort to integrate this. Look at Manual Kaspers M0n0wall, there you have a full web based integration.

But to have a look at rc coud be interessting I start to look into that, too.
Some ideas on that:

It could be much easier to create and add a few handsome static scripts in
~/asuswrt-merlin/release/src-rt/router/rc/ to launch ie. aiccu, radvd and the firewall. Or one script launchig all together.

The related config files can be placed either in jffs or /mnt/sda1/etc/config/
Scripts check if a config file exist and will be fired up. So there is no need to place defaults in NVRAM.
A feasable place for scripts is /etc/rc.d/

Question is how a script can be integrated, but this is an option of the Makefile in ../router

I just have an deeper look into the ip6tables configuration and I'll place an updated version soon (see also SIXXS WIKI later on).



Regards

F41THR

Last edited by f41thr; 12-29-2012 at 12:37 PM.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 06:13 AM.


Top 10 Stats
Top Posters* Top Thanked
RMerlin  393
stevech  148
KGB7  124
azazel1024  114
sfx2000  104
sinshiva  96
Kel-L  95
hggomes  82
fistv  80
john9527  69
RMerlin  5590
stevech  329
ryzhov_al  265
TeHashX  217
RogerSC  189
L&LD  189
sinshiva  143
joegreat  127
jlake  122
sfx2000  120
Most Viewed Threads* Hottest Threads*
Old Asuswrt-Merli...  77032
Old Asuswrt-Merli...  41227
Old [Fork]...  17014
Old Asus locking...  9975
Old ASUS...  7994
Old Incoming...  7824
Old Share What...  3631
Old Asuswrt-Merli...  2927
Old Asuswrt-Merli...  2461
Old Ac68u Latest...  2168
Old Asuswrt-Merli...  393
Old Asuswrt-Merli...  192
Old Asus locking...  125
Old [Fork]...  124
Old Connection...  51
Old [HOW TO]...  50
Old ASUS...  49
Old Incoming...  44
Old 376.44 -...  40
Old Use the same...  35


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.