SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > Wireless Networking > ASUS Wireless > Asuswrt-Merlin

Reply
 
Thread Tools Search this Thread Display Modes
  #11  
Old 12-27-2012, 12:01 PM
f41thr f41thr is offline
New Member
 
Join Date: Dec 2012
Posts: 5
Thanks: 3
Thanked 1 Time in 1 Post
f41thr is just starting out
Default Update

Confirmed: ASUS RT-N16 works fine with Merlin Firmware.
Might have some issue I'll report later.

With support from Protubus, we made AICCU integration.
After a few mails between Protubus and me I finally made it. And I have some recommendations on FW security. See script below.
(Manual load of contrack and logging). This is not the final one, a more sophisticated will be made availiabel later this month.

Following my experience with pf on OpenBSD, it can be simplified later on! Even with ip6tables!

So primarily thank to Merlin for the Merlin Firmware of ASUS Routers and then to Protubus for the AICCU integration.

cu F41THR

Quote:
#!/bin/sh
echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
aiccu start /jffs/configs/aiccu.conf
ifconfig br0 2001:XXXX:XXXX::1/64
radvd -C /jffs/configs/radvd.conf -u admin

#
# !!!!! load conntrack manuell
#
insmod /lib/modules/2.6.22.19/kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko

# Definitions
IP6TABLES='/usr/sbin/ip6tables'

WAN_IF='sixxs'
LAN_IF='br0'

SUBNETPREFIX='2001:4dd0:ff00:8ab8::/48'
MYTUNNEL='2001:4dd0:ff00:ab8::2'
SIXXSTUNNEL='2001:4dd0:ff00:ab8::1'


$IP6TABLES -F INPUT
$IP6TABLES -F OUTPUT
$IP6TABLES -F FORWARD

$IP6TABLES -F
$IP6TABLES -X

# DROP all incomming traffic
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP

# Filter all packets that have RH0 headers:
$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
$IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP
$IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP

# Allow anything on the local link
$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
$IP6TABLES -A OUTPUT -o $WAN_IF -j ACCEPT
# Allow established, related packets back in
#ip6tables -A INPUT -i sixxs -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the localnet access us:
$IP6TABLES -A INPUT -i $LAN_IF -j ACCEPT
$IP6TABLES -A OUTPUT -o $LAN_IF -j ACCEPT

# Allow Link-Local addresses
$IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT
$IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
$IP6TABLES -A INPUT -d ff00::/8 -j ACCEPT
$IP6TABLES -A OUTPUT -d ff00::/8 -j ACCEPT

# Paranoia on ipv6 interface
$IP6TABLES -I INPUT -i $WAN_IF -p tcp --syn -j DROP
$IP6TABLES -I FORWARD -i $WAN_IF -p tcp --syn -j DROP
$IP6TABLES -I INPUT -i $WAN_IF -p udp -j DROP
$IP6TABLES -I FORWARD -i $WAN_IF -p udp -j DROP

# Allow forwarding on ipv6 interface
$IP6TABLES -A FORWARD -m state --state NEW -i $LAN_IF -o $WAN_IF -s $SUBNETPREFIX -j ACCEPT
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
$IP6TABLES -N AllowICMPs
# Destination unreachable
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
$IP6TABLES -A INPUT -p icmpv6 -s $SIXXSTUNNEL -d $MYTUNNEL -j AllowICMPs

# SSH in
##$IP6TABLES -A FORWARD -i sixxs -p tcp -d <subnet-prefix>::5 --dport 22 -j ACCEPT

# Log
$IP6TABLES -A INPUT -j LOG --log-prefix "IPv6-INPUT:"
$IP6TABLES -A FORWARD -j LOG --log-prefix "IPv6-FORWARD:"
$IP6TABLES -A OUTPUT -j LOG --log-prefix "IPv6-OUTPUT:"
Replace

SUBNETPREFIX='your-prefix/48'
MYTUNNEL='see Your IPv6 on SIXXS'
SIXXSTUNNEL='see Pop IPv6 on SIXXS'

with your settings.

Last edited by f41thr; 12-29-2012 at 04:44 PM. Reason: Update FW script part (minor corrections)
Reply With Quote
The Following User Says Thank You to f41thr For This Useful Post:
  #12  
Old 12-28-2012, 06:42 AM
probutus probutus is offline
New Member
 
Join Date: Dec 2012
Posts: 6
Thanks: 3
Thanked 3 Times in 3 Posts
probutus is just starting out
Default

I'm currently having a hell of a time with integrating aiccu into rc... RMerlin was absolutely right that this would be the "fun part"....

Is there a chance to configure the IPv4/IPv6 firewall rules via webinterface?
Starting and stopping aiccu is one thing but having a customizable firewall is another...
Reply With Quote
  #13  
Old 12-29-2012, 11:27 AM
f41thr f41thr is offline
New Member
 
Join Date: Dec 2012
Posts: 5
Thanks: 3
Thanked 1 Time in 1 Post
f41thr is just starting out
Smile

Quote:
Originally Posted by probutus View Post
I'm currently having a hell of a time with integrating aiccu into rc... RMerlin was absolutely right that this would be the "fun part"....

Is there a chance to configure the IPv4/IPv6 firewall rules via webinterface?
Starting and stopping aiccu is one thing but having a customizable firewall is another...
Maybe I'm completely wrong, but have a look at jffs. Custom scripts can be placed there. aiccu and ipv6 FW can be configured per ssh. An autolauncher during startup make sense but everything else can be handled per ssh.

This is similar with impementations on OpenWRT, DD-WRT, etc...
SIXXS and AICCU is not such popular that ie. vendors spend much effort to integrate this. Look at Manual Kaspers M0n0wall, there you have a full web based integration.

But to have a look at rc coud be interessting I start to look into that, too.
Some ideas on that:

It could be much easier to create and add a few handsome static scripts in
~/asuswrt-merlin/release/src-rt/router/rc/ to launch ie. aiccu, radvd and the firewall. Or one script launchig all together.

The related config files can be placed either in jffs or /mnt/sda1/etc/config/
Scripts check if a config file exist and will be fired up. So there is no need to place defaults in NVRAM.
A feasable place for scripts is /etc/rc.d/

Question is how a script can be integrated, but this is an option of the Makefile in ../router

I just have an deeper look into the ip6tables configuration and I'll place an updated version soon (see also SIXXS WIKI later on).



Regards

F41THR

Last edited by f41thr; 12-29-2012 at 12:37 PM.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 07:57 AM.


Top 10 Stats
Top Posters* Top Thanked
RMerlin  363
john9527  150
azazel1024  129
stevech  114
htismaqe  104
sfx2000  78
L&LD  76
TonyH  68
AndreyPopov  53
ColinTaylor  52
RMerlin  6024
john9527  377
stevech  350
ryzhov_al  279
TeHashX  233
L&LD  232
RogerSC  199
sinshiva  147
sfx2000  133
joegreat  126
Most Viewed Threads* Hottest Threads*
Old Shellshock...  27632
Old Asuswrt-Merli...  14300
Old Brainstorming...  2301
Old Looking for...  2081
Old RT-AC68P  2054
Old Advice on...  1909
Old RT-AC68U...  1474
Old Asus...  1451
Old Issues...  1372
Old AC-68...  1322
Old Asuswrt-Merli...  115
Old Advice on...  48
Old Brainstorming...  47
Old Looking for...  35
Old Shellshock...  31
Old Issues...  25
Old Stable...  25
Old WiFi Rates  23
Old RT-AC68U...  22
Old Belkin Pre-N...  21


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.