Rob's Ramblings

Tuesday 10 June 2008

Sky BB router woes

OK. Geting closer.

Thanks to a Commnuity Updates firmware version of 1.03.87, I was able to get telnet access to the Sky router in it's new version. A bit of digging shows that, at very least, there has been some changes to the firewall code. Here's the outputs from iptables --list on each version:

Old firmware:


#
# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REAIM_IN all -- anywhere anywhere
INPUT_UDP udp -- anywhere anywhere
INPUT_TCP tcp -- anywhere anywhere
DOS icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW

Chain FORWARD (policy DROP)
target prot opt source destination
HTTP tcp -- anywhere anywhere tcp dpt:80
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
FORWARD_UDP udp -- anywhere anywhere
FORWARD_TCP tcp -- anywhere anywhere
DOS icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP icmp -- anywhere anywhere state INVALID

Chain ALGS (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain BLOCK (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `[BLOCK]'
REJECT tcp -- anywhere anywhere tcp dpt:80 reject-with http-block
DROP all -- anywhere anywhere

Chain CONCHK (1 references)
target prot opt source destination

Chain DOS (6 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere limit: avg 1/sec burst 4 tcp flags:SYN,RST,ACK/SYN
RETURN udp -- anywhere anywhere limit: avg 1/sec burst 4
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 5/sec burst 60
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `[DOS] '
DROP all -- anywhere anywhere

Chain FORWARD_TCP (1 references)
target prot opt source destination
ALGS tcp -- anywhere anywhere tcp spt:6701
ALGS tcp -- anywhere anywhere tcp spt:80
DOS tcp -- anywhere anywhere state INVALID,NEW tcp flags:SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere

Chain FORWARD_UDP (1 references)
target prot opt source destination
DOS udp -- anywhere anywhere
RETURN udp -- anywhere anywhere

Chain HTTP (1 references)
target prot opt source destination
CONCHK all -- anywhere anywhere STRING match GET

Chain INPUT_TCP (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere www.routerlogin.comtcp dpt:80
SCAN all -- anywhere anywhere psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-

ports-weight: 1
DOS tcp -- anywhere anywhere state INVALID,NEW tcp flags:SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere

Chain INPUT_UDP (1 references)
target prot opt source destination
SCAN all -- anywhere anywhere psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-

ports-weight: 1
DOS udp -- anywhere anywhere
RETURN udp -- anywhere anywhere

Chain REAIM_IN (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:1863:1864
ACCEPT tcp -- anywhere anywhere tcp dpt:5566
ACCEPT tcp -- anywhere anywhere tcp dpt:5190
ACCEPT tcp -- anywhere anywhere tcp dpt:4443
ACCEPT tcp -- anywhere anywhere tcp dpts:40000:40099

ACCEPT tcp -- anywhere anywhere tcp dpt:1864
ACCEPT tcp -- anywhere anywhere tcp dpt:5566
ACCEPT tcp -- anywhere anywhere tcp dpt:5190
ACCEPT tcp -- anywhere anywhere tcp dpt:4443
ACCEPT udp -- anywhere anywhere udp dpts:40000:41000


Chain SCAN (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `[PORT SCAN]'
DROP all -- anywhere anywhere
#


New Firmware

# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DOS tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DOS udp -- anywhere anywhere
DOS icmp -- anywhere anywhere icmp echo-request
PROXY all -- anywhere anywhere
LOCAL_SERVICE all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
OUT_FILTER all -- anywhere anywhere
CFILTER all -- anywhere anywhere
FW_BASIC all -- anywhere anywhere
IN_FILTER all -- anywhere anywhere
FW_UPNP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain BLOCK (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `[BLOCK] '
REJECT tcp -- anywhere anywhere tcp dpt:80 reject-with http-block

Chain CFILTER (1 references)
target prot opt source destination
HTTP tcp -- anywhere anywhere tcp dpt:80

flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK STRING match GET
HTTP tcp -- anywhere anywhere tcp dpt:80

flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK STRING match POST
HTTP tcp -- anywhere anywhere tcp dpt:80

flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK STRING match HEAD

Chain DOS (6 references)
target prot opt source destination
RETURN all -- anywhere anywhere
SCAN all -- anywhere anywhere psd weight-threshold: 21 delay-threshold: 300 lo-

ports-weight: 3 hi-ports-weight: 1
RETURN tcp -- anywhere anywhere limit: avg 100/sec burst 100 tcp

flags:SYN,RST,ACK/SYN
RETURN udp -- anywhere anywhere limit: avg 100/sec burst 100
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 5/sec burst 60
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `

[DOS] '
DROP all -- anywhere anywhere

Chain FW_BASIC (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to

PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DOS tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DOS udp -- anywhere anywhere
DOS icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere MARK match 0x2511
ACCEPT all -- anywhere anywhere

Chain FW_UPNP (1 references)
target prot opt source destination

Chain HTTP (3 references)
target prot opt source destination

Chain IN_FILTER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain LOCAL_SERVICE (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere MARK match 0x2511
ACCEPT tcp -- anywhere www.routerlogin.comtcp dpt:80
ACCEPT icmp -- anywhere anywhere

Chain OUT_FILTER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain PROXY (1 references)
target prot opt source destination

Chain SCAN (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `

[PORT SCAN] '
DROP all -- anywhere anywhere



I'm no iptables expert, but maybe someone can help - why does this one not forward packets between the internet and machine on a different subnet behind a gateway on the LAN side??

Labels: , , ,

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]



<< Home