TomatoUSB

Using shibby 101 build,

The admin-> firewall scripts, do not seem to be applied.

Even adding basic rules to drop all incoming outgoing and forwards do not seem to do anything.
if i ssh into the router and add the rules manually then they do show in the rules table.

I wonder if those firewall scripts are meant to be ran when the iptables are first initialized at boot?

Try creating your rules in the firewall portion of the scripts page like you have and save them.

Then restart the router… Check to see if they are now active.

If they are, from now on when you want to make a new rule, put it into the firewall scripts page then manually add it via ssh or the Tools: System page.
If not, then more troubleshooting is ahead.

Heres my output of the table iptables -I FORWARD 1 -p tcp —dport 443 -j REJECT —reject-with tcp-reset

using the scripts page the rule does apply, but not to my virtual wireless.

as a system command applies to both networks.

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp — !192.168.1.10 anywhere tcp dpt:https
DROP all — anywhere anywhere state INVALID
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
shlimit tcp — anywhere anywhere tcp dpt:ssh state NEW
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT udp — anywhere anywhere udp spt:bootps dpt:bootpc

Chain FORWARD (policy DROP)
target prot opt source destination
NoCat all — anywhere anywhere
REJECT tcp — anywhere anywhere tcp dpt:https reject-with tcp-reset
all — anywhere anywhere account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
all — anywhere anywhere account: network/netmask: 10.2.1.0/255.255.255.0 name: lan1
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere
DROP all — anywhere anywhere state INVALID
TCPMSS tcp — anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
restrict all — anywhere anywhere
monitor all — anywhere anywhere
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
DROP all — anywhere anywhere
DROP all — anywhere anywhere
wanin all — anywhere anywhere
wanout all — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain NoCat (1 references)
target prot opt source destination
NoCat_Upload all — anywhere anywhere
NoCat_Download all — anywhere anywhere
NoCat_Ports all — anywhere anywhere
NoCat_Inbound all — anywhere anywhere
ACCEPT all — 10.2.1.0/24 anywhere MARK match 0x1
ACCEPT all — 10.2.1.0/24 anywhere MARK match 0x2
ACCEPT all — 10.2.1.0/24 anywhere MARK match 0x3
ACCEPT tcp — 10.2.1.0/24 unknown tcp dpt:www
ACCEPT tcp — 10.2.1.0/24 unknown tcp dpt:https
ACCEPT tcp — anywhere 10.2.1.0/24 tcp spt:domain
ACCEPT tcp — 10.2.1.0/24 anywhere tcp dpt:domain
ACCEPT udp — anywhere 10.2.1.0/24 udp spt:domain
ACCEPT udp — 10.2.1.0/24 anywhere udp dpt:domain
DROP all — anywhere anywhere
DROP all — anywhere anywhere

Chain NoCat_Download (1 references)
target prot opt source destination
RETURN all — anywhere 10.2.1.170

Chain NoCat_Inbound (1 references)
target prot opt source destination
ACCEPT all — anywhere 10.2.1.170 state RELATED,ESTABLISHED

Chain NoCat_Ports (1 references)
target prot opt source destination
DROP tcp — anywhere anywhere tcp dpt:1863 MARK match 0x3
DROP udp — anywhere anywhere udp dpt:1863 MARK match 0x3

Chain NoCat_Upload (1 references)
target prot opt source destination
RETURN all — 10.2.1.170 anywhere

Chain monitor (1 references)
target prot opt source destination
RETURN tcp — anywhere anywhere WEBMON —max_domains 300 —max_searches 300

Chain rdev01 (1 references)
target prot opt source destination
rres01 all — anywhere anywhere [goto] source IP range 10.2.1.100-10.2.1.255

Chain restrict (1 references)
target prot opt source destination
rdev01 all — anywhere anywhere

Chain rres01 (1 references)
target prot opt source destination
DROP tcp — anywhere anywhere multiport dports tcpmux:52,54:finger,81:442
DROP udp — anywhere anywhere multiport dports 1:52,54:79,81:442
DROP all — anywhere anywhere destination IP range 192.168.1.1-192.168.1.255
DROP tcp — anywhere anywhere multiport dports snpp:5279,5281:59999
DROP udp — anywhere anywhere multiport dports snpp:5279,5281:59999

Chain shlimit (1 references)
target prot opt source destination
all — anywhere anywhere recent: SET name: shlimit side: source
DROP all — anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

Chain wanin (1 references)
target prot opt source destination

Chain wanout (1 references)
target prot opt source destination

Heres the output if added via the console.

I think the problems may be down to the order of the rules.

NoCat is applied to the virtual, the interface which the firewall script doesn't apply to.

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp — !192.168.1.10 anywhere tcp dpt:https
DROP all — anywhere anywhere state INVALID
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
shlimit tcp — anywhere anywhere tcp dpt:ssh state NEW
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT udp — anywhere anywhere udp spt:bootps dpt:bootpc

Chain FORWARD (policy DROP)
target prot opt source destination
REJECT tcp — anywhere anywhere tcp dpt:https reject-with tcp-reset
NoCat all — anywhere anywhere
all — anywhere anywhere account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
all — anywhere anywhere account: network/netmask: 10.2.1.0/255.255.255.0 name: lan1
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere
DROP all — anywhere anywhere state INVALID
TCPMSS tcp — anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
restrict all — anywhere anywhere
monitor all — anywhere anywhere
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
DROP all — anywhere anywhere
DROP all — anywhere anywhere
wanin all — anywhere anywhere
wanout all — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain NoCat (1 references)
target prot opt source destination
NoCat_Upload all — anywhere anywhere
NoCat_Download all — anywhere anywhere
NoCat_Ports all — anywhere anywhere
NoCat_Inbound all — anywhere anywhere
ACCEPT all — 10.2.1.0/24 anywhere MARK match 0x1
ACCEPT all — 10.2.1.0/24 anywhere MARK match 0x2
ACCEPT all — 10.2.1.0/24 anywhere MARK match 0x3
ACCEPT tcp — 10.2.1.0/24 unknown tcp dpt:www
ACCEPT tcp — 10.2.1.0/24 unknown tcp dpt:https
ACCEPT tcp — anywhere 10.2.1.0/24 tcp spt:domain
ACCEPT tcp — 10.2.1.0/24 anywhere tcp dpt:domain
ACCEPT udp — anywhere 10.2.1.0/24 udp spt:domain
ACCEPT udp — 10.2.1.0/24 anywhere udp dpt:domain
DROP all — anywhere anywhere
DROP all — anywhere anywhere

Chain NoCat_Download (1 references)
target prot opt source destination
RETURN all — anywhere 10.2.1.170

Chain NoCat_Inbound (1 references)
target prot opt source destination
ACCEPT all — anywhere 10.2.1.170 state RELATED,ESTABLISHED

Chain NoCat_Ports (1 references)
target prot opt source destination
DROP tcp — anywhere anywhere tcp dpt:1863 MARK match 0x3
DROP udp — anywhere anywhere udp dpt:1863 MARK match 0x3

Chain NoCat_Upload (1 references)
target prot opt source destination
RETURN all — 10.2.1.170 anywhere

Chain monitor (1 references)
target prot opt source destination
RETURN tcp — anywhere anywhere WEBMON —max_domains 300 —max_searches 300

Chain rdev01 (1 references)
target prot opt source destination
rres01 all — anywhere anywhere [goto] source IP range 10.2.1.100-10.2.1.255

Chain restrict (1 references)
target prot opt source destination
rdev01 all — anywhere anywhere

Chain rres01 (1 references)
target prot opt source destination
DROP tcp — anywhere anywhere multiport dports tcpmux:52,54:finger,81:442
DROP udp — anywhere anywhere multiport dports 1:52,54:79,81:442
DROP all — anywhere anywhere destination IP range 192.168.1.1-192.168.1.255
DROP tcp — anywhere anywhere multiport dports snpp:5279,5281:59999
DROP udp — anywhere anywhere multiport dports snpp:5279,5281:59999

Chain shlimit (1 references)
target prot opt source destination
all — anywhere anywhere recent: SET name: shlimit side: source
DROP all — anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

Chain wanin (1 references)
target prot opt source destination

Chain wanout (1 references)
target prot opt source destination