Sky BB router woes
OK. Geting closer.
Thanks to a Commnuity Updates firmware version of 1.03.87, I was able to get telnet access to the Sky router in it's new version. A bit of digging shows that, at very least, there has been some changes to the firewall code. Here's the outputs from iptables --list on each version:
Old firmware:
#
# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REAIM_IN all -- anywhere anywhere
INPUT_UDP udp -- anywhere anywhere
INPUT_TCP tcp -- anywhere anywhere
DOS icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
Chain FORWARD (policy DROP)
target prot opt source destination
HTTP tcp -- anywhere anywhere tcp dpt:80
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
FORWARD_UDP udp -- anywhere anywhere
FORWARD_TCP tcp -- anywhere anywhere
DOS icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP icmp -- anywhere anywhere state INVALID
Chain ALGS (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain BLOCK (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `[BLOCK]'
REJECT tcp -- anywhere anywhere tcp dpt:80 reject-with http-block
DROP all -- anywhere anywhere
Chain CONCHK (1 references)
target prot opt source destination
Chain DOS (6 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere limit: avg 1/sec burst 4 tcp flags:SYN,RST,ACK/SYN
RETURN udp -- anywhere anywhere limit: avg 1/sec burst 4
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 5/sec burst 60
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `[DOS] '
DROP all -- anywhere anywhere
Chain FORWARD_TCP (1 references)
target prot opt source destination
ALGS tcp -- anywhere anywhere tcp spt:6701
ALGS tcp -- anywhere anywhere tcp spt:80
DOS tcp -- anywhere anywhere state INVALID,NEW tcp flags:SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere
Chain FORWARD_UDP (1 references)
target prot opt source destination
DOS udp -- anywhere anywhere
RETURN udp -- anywhere anywhere
Chain HTTP (1 references)
target prot opt source destination
CONCHK all -- anywhere anywhere STRING match GET
Chain INPUT_TCP (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere www.routerlogin.comtcp dpt:80
SCAN all -- anywhere anywhere psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-
ports-weight: 1
DOS tcp -- anywhere anywhere state INVALID,NEW tcp flags:SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere
Chain INPUT_UDP (1 references)
target prot opt source destination
SCAN all -- anywhere anywhere psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-
ports-weight: 1
DOS udp -- anywhere anywhere
RETURN udp -- anywhere anywhere
Chain REAIM_IN (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:1863:1864
ACCEPT tcp -- anywhere anywhere tcp dpt:5566
ACCEPT tcp -- anywhere anywhere tcp dpt:5190
ACCEPT tcp -- anywhere anywhere tcp dpt:4443
ACCEPT tcp -- anywhere anywhere tcp dpts:40000:40099
ACCEPT tcp -- anywhere anywhere tcp dpt:1864
ACCEPT tcp -- anywhere anywhere tcp dpt:5566
ACCEPT tcp -- anywhere anywhere tcp dpt:5190
ACCEPT tcp -- anywhere anywhere tcp dpt:4443
ACCEPT udp -- anywhere anywhere udp dpts:40000:41000
Chain SCAN (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `[PORT SCAN]'
DROP all -- anywhere anywhere
#
New Firmware
# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DOS tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DOS udp -- anywhere anywhere
DOS icmp -- anywhere anywhere icmp echo-request
PROXY all -- anywhere anywhere
LOCAL_SERVICE all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
OUT_FILTER all -- anywhere anywhere
CFILTER all -- anywhere anywhere
FW_BASIC all -- anywhere anywhere
IN_FILTER all -- anywhere anywhere
FW_UPNP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain BLOCK (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `[BLOCK] '
REJECT tcp -- anywhere anywhere tcp dpt:80 reject-with http-block
Chain CFILTER (1 references)
target prot opt source destination
HTTP tcp -- anywhere anywhere tcp dpt:80
flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK STRING match GET
HTTP tcp -- anywhere anywhere tcp dpt:80
flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK STRING match POST
HTTP tcp -- anywhere anywhere tcp dpt:80
flags:FIN,SYN,RST,PSH,ACK,URG/PSH,ACK STRING match HEAD
Chain DOS (6 references)
target prot opt source destination
RETURN all -- anywhere anywhere
SCAN all -- anywhere anywhere psd weight-threshold: 21 delay-threshold: 300 lo-
ports-weight: 3 hi-ports-weight: 1
RETURN tcp -- anywhere anywhere limit: avg 100/sec burst 100 tcp
flags:SYN,RST,ACK/SYN
RETURN udp -- anywhere anywhere limit: avg 100/sec burst 100
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 5/sec burst 60
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `
[DOS] '
DROP all -- anywhere anywhere
Chain FW_BASIC (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to
PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DOS tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DOS udp -- anywhere anywhere
DOS icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere MARK match 0x2511
ACCEPT all -- anywhere anywhere
Chain FW_UPNP (1 references)
target prot opt source destination
Chain HTTP (3 references)
target prot opt source destination
Chain IN_FILTER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain LOCAL_SERVICE (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere MARK match 0x2511
ACCEPT tcp -- anywhere www.routerlogin.comtcp dpt:80
ACCEPT icmp -- anywhere anywhere
Chain OUT_FILTER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain PROXY (1 references)
target prot opt source destination
Chain SCAN (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning prefix `
[PORT SCAN] '
DROP all -- anywhere anywhere
I'm no iptables expert, but maybe someone can help - why does this one not forward packets between the internet and machine on a different subnet behind a gateway on the LAN side??
posted by rob at
09:17
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home