WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Default iptables REJECT is being set as DROP

0 votes
1,412 views 4 comments
by anonymous

I am not sure how to raise a support request with Teltonika but I can't make sense of this - in the iptables -S output below the "-P INPUT DROP" should be "-P INPUT REJECT" I believe as I have set the default firewall policy INPUT to REJECT.

❯ ssh SYD-RUT950
Warning: Permanently added '192.168.16.1' (RSA) to the list of known hosts.


BusyBox v1.30.1 () built-in shell (ash)

   ____        _    ___  ____        _(_)_
  |  _ \ _   _| |_ / _ \/ ___|      (_)@(_)
  | |_) | | | | __| | | \___ \       /(_)
  |  _ <| |_| | |_| |_| |___) |    \|/
  |_| \_\\__,_|\__|\___/|____/     \|/

Teltonika RUT9XX 2014 - 2019

root@SYD_RUT950:~#
root@SYD_RUT950:~#
root@SYD_RUT950:~#
root@SYD_RUT950:~# iptables -S INPUT
-P INPUT DROP
-A INPUT -j delegate_input
root@SYD_RUT950:~#
by anonymous

I believe the issue could be here:

-A zone_vpn_input -j zone_vpn_src_ACCEPT

should be

-A zone_vpn_input -j zone_vpn_src_REJECT

Given the UI source zone forwarding for the openvpn zone is set to REJECT:

root@SYD_RUT950:~# iptables -S zone_vpn_input
-N zone_vpn_input
-A zone_vpn_input -m comment --comment "user chain for input" -j input_vpn_rule
-A zone_vpn_input -p tcp -m tcp --dport 80 -m comment --comment "Allow-VPN to RUT950 UI" -j ACCEPT
-A zone_vpn_input -p tcp -m tcp --dport 443 -m comment --comment "Allow-VPN to RUT950 UI" -j ACCEPT
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_vpn_input -j zone_vpn_src_ACCEPT
root@SYD_RUT950:~# iptables -S zone_vpn_src_ACCEPT
-N zone_vpn_src_ACCEPT
-A zone_vpn_src_ACCEPT -i tun_+ -j ACCEPT
root@SYD_RUT950:~#

by anonymous

The WAN INPUT REJECT rule is set up this way:

root@SYD_RUT950:~# iptables -S zone_wan_input
-N zone_wan_input
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
root@SYD_RUT950:~# iptables -S zone_wan_src_REJECT
-N zone_wan_src_REJECT
-A zone_wan_src_REJECT -i wwan0 -j reject
root@SYD_RUT950:~#

1 Answer

0 votes
by anonymous

Hello, 

Well noted, thank you.
At the moment we investigating this case and will contact You as soon as possible.

Best regards  

Best answer
by anonymous

This one is worth looking at as well, I uncovered this whilst sorting out the GUI issues.

https://community.teltonika-networks.com/10612/firewall-not-blocking-vpn-traffic

by anonymous

Hello, 

General rules apply to interfaces that are not assigned to zones. 

Standard INPUT is actually unavailable because it is preceded by redirect to reject.

The last rule is -A INPUT -m comment --comment "!fw3" -j reject and in the end all traffic will reach the reject chain. And will not reach the default INPUT DROP.
In near feature we will update WebUI that user had more transparent experience with configuration process.

Best regards