× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

os6.2 iptables entries question

dsm1212
Apprentice

os6.2 iptables entries question

I'm thinking of setting up knocking. I notice that the iptables on my os6.2 system has ACCEPT entries for the major ports used by the NAS (22, 80, 443, etc). There is no DROP rule so these entries are not really doing anything but I'm curious how they got there. On boot something must be setting these up but I cannot find it. Can someone point me to where that is?
Message 1 of 3
dsm1212
Apprentice

Re: os6.2 iptables entries question

No one? Well, I don't see where they are added but I poked around at the os6.2 configuration and it seems the box is using connman exclusively to set up the network. This means none of the scripts in /etc/network/if* are even invoked. The dbus connection is beyond me and I don't feel like researching it. So where's a good place to call iptables-restore? I can't find one so I'm thinking of adding a script to init.d since that has dependency rules.

There are not very many features built into in os6.2 iptables so all I can really do is close all non-lan port 22 and then use knockd to open specific client machines. But without state or conntrack I have to leave them open and manually close later unless someone knows how to detect state with what is in os6.2.

steve
Message 2 of 3
dsm1212
Apprentice

Re: os6.2 iptables entries question

I did not find what was setting these default rules:

-A INPUT -i bond0
-A INPUT -i bond0 -p tcp -m tcp --dport 22
-A INPUT -i bond0 -p tcp -m tcp --sport 22
-A INPUT -i bond0 -p tcp -m tcp --dport 80
-A INPUT -i bond0 -p tcp -m tcp --sport 80
-A INPUT -i bond0 -p tcp -m tcp --dport 443
-A INPUT -i bond0 -p tcp -m tcp --sport 443
-A INPUT -i bond0 -p tcp -m tcp --dport 445
-A INPUT -i bond0 -p tcp -m tcp --sport 445
-A INPUT -i bond0 -p tcp -m tcp --dport 2049
-A INPUT -i bond0 -p tcp -m tcp --sport 2049
-A INPUT -i bond0 -p tcp -m tcp --dport 548
-A INPUT -i bond0 -p tcp -m tcp --sport 548
-A INPUT -i bond0 -p tcp -m tcp --dport 3260
-A INPUT -i bond0 -p tcp -m tcp --sport 3260
-A INPUT -i bond0 -p tcp -m tcp --dport 25
-A INPUT -i bond0 -p tcp -m tcp --sport 25
-A OUTPUT -o bond0
-A OUTPUT -o bond0 -p tcp -m tcp --sport 22
-A OUTPUT -o bond0 -p tcp -m tcp --dport 22
-A OUTPUT -o bond0 -p tcp -m tcp --sport 80
-A OUTPUT -o bond0 -p tcp -m tcp --dport 80
-A OUTPUT -o bond0 -p tcp -m tcp --sport 443
-A OUTPUT -o bond0 -p tcp -m tcp --dport 443
-A OUTPUT -o bond0 -p tcp -m tcp --sport 445
-A OUTPUT -o bond0 -p tcp -m tcp --dport 445
-A OUTPUT -o bond0 -p tcp -m tcp --sport 2049
-A OUTPUT -o bond0 -p tcp -m tcp --dport 2049
-A OUTPUT -o bond0 -p tcp -m tcp --sport 548
-A OUTPUT -o bond0 -p tcp -m tcp --dport 548
-A OUTPUT -o bond0 -p tcp -m tcp --sport 3260
-A OUTPUT -o bond0 -p tcp -m tcp --dport 3260
-A OUTPUT -o bond0 -p tcp -m tcp --sport 25
-A OUTPUT -o bond0 -p tcp -m tcp --dport 25

It seems that something on the system can re-add the default iptables rules. After a day or so I saw them reappear in iptables. Fortunately it Appends them so they come after the ones I set up. If anyone has any clue what script/component in the system is setting them please let me know. I'm thinking it is buried in connman since I see connman has some iptables support in source code, but I haven't found where it is configured yet.

steve
Message 3 of 3
Top Contributors
Discussion stats
  • 2 replies
  • 3054 views
  • 0 kudos
  • 1 in conversation
Announcements