Protect your home network using TomatoUSB – how to only allow only HTTP/S out!

While we continue to see the WannaCry and other malware around, I thought I would secure my own network. Since I allow visitors onto their networks, I figured I would configure all new DHCP’d hosts to access the Internet only via HTTP and HTTPs and not allow them to use any DNS servers other than OpenDNS. Here’s how to do it:

The first thing I did was create an access restriction. I did this just to see what chain would be created and I would put subsequent rules into that chain.

access restriction screenshot

The previous screenshot created this chain:

Chain rdev07 (1 references)
target prot opt source destination
DROP all -- 192.168.0.15 anywhere

With this chain, I can add additional rules. The first thing I want to do is allow only DNS access to OpenDNS servers and none other. For this, I would run the following commands:

iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 208.67.222.222/32 --dport 53 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.0/24 -d 208.67.222.222/32 --dport 53 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 208.67.220.220/32 --dport 53 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.0/24 -d 208.67.220.220/32 --dport 53 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0/0 --dport 53 -j REJECT
iptables -A rdev07 -4 -p udp -s 192.168.0.0/24 -d 0.0.0.0/0/0 --dport 53 -j REJECT

These rules basically allow DNS queries from my network to the 2 OpenDNS servers. The last 2 rules mean that no other DNS servers outside of those 2 servers can be queried. The reason I do this is because there is some malware out there that will change the DNS servers to query on Windows, effectively overriding the DHCP setting. An alternative to this would be to configure Tomato to intercept DNS requests, but I would rather do it this way.

I added the following rules because I had noticed for some reason that some connections coming back from OpenDNS were dropped. I think they’re optional, but I put them in.

iptables -A rdev07 -4 -p tcp -s 208.67.222.222/32 -d 192.168.0.0/24 --sport 53 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 208.67.222.222/32 -d 192.168.0.0/24 --sport 53 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 208.67.222.222/32 -d 192.168.0.0/24 --sport 53 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 208.67.222.222/32 -d 192.168.0.0/24 --sport 53 -j ACCEPT

Next, I go to create my whitelist – this would be my iPhone, iPad, android, etc – any hosts that I trust. I’m going to allow these host to go out to any host with TCP and UDP.

 

iptables -A rdev07 -4 -p tcp -s 192.168.0.3/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.11/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.31/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.3/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.11/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.31/32 -d 0.0.0.0/0 -j ACCEPT
I know that they can still get viruses. I hope they don’t. They can only use OpenDNS for DNS services, but they can access basically anything outside on any port.
Lastly, I configure the rules to allow only HTTP and HTTPs out.
iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 80 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 443 -j ACCEPT
iptables -A rdev07 -4 -p all -s 192.168.0.0/24 -d 0.0.0.0/0 -j DROP
With this, anyone else on the network can connect to port 80 and 443 of any host on the Internet. Then, any traffic going out to any other port is dropped.
After testing all commands and seeing that they worked for me, I put them all into Administration/Scripts/Firewall.
Inserting custom firewall rules
Have fun and be safe! Please post any comments below.

Using 2 ISPs at home at the same time! Tomato MultiWAN – works great! (Video)

Why do you really need this? When Shibby first put out the firmware with MultiWAN support, I questioned why someone would pay for 2 service providers. Too much bandwidth utilization? If you need more bandwidth, just upgrade your line with your current ISP. It would be cheaper than getting a new line!

Do you need reliability? When you work from home and need to be connected to the Internet for your work and it’s not available, that’s when you might look into a solution like this one! I have Comcast Business. Does that help? No, not really when the problems is with the infrastructure and not a misconfiguration or something internal. It just means that when you call, you talk to someone a little more competent and you can get a person quicker than going through the phone system. You can have someone come on-site a little faster too. That said, the service is the same as that of all other consumers. After a few rains and a couple of Comcast outages (not exactly outages, but huge degradations in service), I started to think about getting a second provider. Luckily, in San Francisco, we have a few options for service providers here. I happen to be lucky enough to have access to 2 different cable providers, Comcast and Wave Broadband (formerly Astound). I used Astound before. It was not bad. My experience was not nearly as bad as what the Yelp reviews say. I’ve now had them for a couple of weeks and still have the same opinion. They seem to be just fine.

So, moving onto the implementation. As you can see from the screenshot, Shibby makes it easy! First configuration the VLAN. It points to a link for where to do it – in advanced settings. You can look at the next screenshot to see an example of the VLAN being set up. I’m using LAN port 1 for the 2nd WAN port.

In this screen however, You might notice my “Load Balance Weight”. The problem with my service providers is that Comcast gives me unlimited bandwidth. Wave Broadband does not. Because of this, I want more connections to go out of the first WAN link and Shibby gives us a couple of ways to do it. First is with “Load Balance Weight”. I’m just setting the 1st link to 2 and 2nd WAN link to 1. You can play with the numbers to try finding your desired balance.

Screen Shot 2016-04-29 at 6.43.42 PM

Screen Shot 2016-04-29 at 6.43.01 PM

Another place to do load balancing is by pinning a particular host to a particular WAN link. For example, I have some traffic I want out of 1 WAN link and some out of another. This way, I can tell my highest traffic hosts to go through WAN1 while some others through WAN2.

Screen Shot 2016-04-29 at 6.47.37 PM

Here’s a status window to show that I have both WANs connected.

Screen Shot 2016-05-01 at 4.23.59 PM

Lastly, you can see from different searches of what’s my IP, that both WAN links are being utilized.

Screen Shot 2016-05-01 at 4.29.15 PM Screen Shot 2016-05-01 at 4.29.26 PM

Please post your comments and share!

Drobo connected to Asus router running TomatoUSB

Simple – Don’t do it! This was from a couple of years ago when running TomatoUSB on an ASUS RT-N16 router. DD-WRT had issues where the wifi would drop off periodically. I found that TomatoUSB (Shibby or Toastman) were both very good alternatives. So good that I’ve since moved onto Tomato for almost all of my routers.

Anyways, some of the issues I ran into were:

Value too large for defined data type …

Sep 24 00:01:08 unknown daemon.err smbd[1539]: disk_free: sys_fsusage() failed.
Error was : Value too large for defined data type
Sep 24 00:01:08 unknown daemon.err smbd[1539]: disk_free: sys_fsusage() failed.
Error was : Value too large for defined data type

[email protected]:/tmp/etc# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 5.6M 5.6M 0 100% /
tmpfs 62.0M 400.0K 61.6M 1% /tmp
devfs 62.0M 0 62.0M 0% /dev
df: /tmp/mnt/Monster: Value too large for defined data type

Along with this, the CPU on that router just couldn’t handle NTFS-3G well – CPU utilization was going through the roof on writes. I think reads were okay.

It would be better to just build a cheap NAS.

if vCenter Server Heartbeat or Neverfail Heartbeat failover appears to be not working or taking a long time …

The main symptom of this problem would be that the vCenter Server Heartbeat console or Neverfail Management Client console would show that the services had failed over, but if you were to try to ping it, it wouldn’t respond.
Logically, there there are some hypotheses you could come up with:

1) Network packet filter isn’t revealed on the active server, so we can’t connect to it.
2) Something wrong w/ the service.
3) The console is wrong and on the backend, nothing failed over.

These would be all wrong.

What we found was that it was an issue with ARP caching on the switches. Because the VM or host abruptly fell off the network, the switches hadn’t expired the ARP entries and that they were stale. You would think that it would be fixed in a minute after the ARP entries expired, but I guess the chain could take a little longer.

Probably the best way to troubleshoot this would be to get on a host on the same network segment and try a ping. If that fails, you could run “arp -a” and check to see if you indeed have the right mac address of the host you want to connect to. If not, you could probably log into the switch to delete the entry or you can create a task to run the command during switchover:

“C:\Program Files\VMware\VMware vCenter Server Heartbeat\R2\bin>nfpktfltr.exe arp”

You should then see the switchover happen without the long delay.

What in the world is irlwinning.com? DDOS?

Recently, I set up my own DNS server. I hadn’t run a public DNS server in years. Since the tvpads recently had some DNS issues, I thought maybe I could help eliminate some support calls by running my own DNS server, pointing to the right servers. Boy was I wrong! For some reason, even though some others on comcast would point to my server as a DNS server, they would still get answers that were not the answers given from my server! It was so bizarre! I had never seen it before. If they ran nslookup and used “server <DNS Server IP>” and typed in the name they wanted to resolve, it’s almost as if the server statement prior was ignored and they were getting the IP that the ISP wanted to give them.

Anyways, that’s not the problem I’m writing about here. Surfing some websites became slow for some reason and I thought I would investigate. The first thing I went to see was what connections I had to the outside world. I went to the router and looked at the traffic. Here’s what I saw:
dns
Obviously, that’s DNS traffic. Well, go to the DNS server and what do I see? This:

10-Oct-2013 15:34:14.228 queries: client 54.252.236.155#58070: query: irlwinning.com IN ANY +E
10-Oct-2013 15:34:14.670 queries: client 206.220.43.92#26073: query: irlwinning.com IN ANY +E

Many different lines of the same exact query. What is it? I have no idea. I’ve decided just to shut down DNS queries for now, but if anyone knows anything about this, I’d be happy to hear from you.

Thanks!

apt-get cheatsheet




nixCraft » Debian Linux apt-get package management cheat sheet » Print


– nixCraft – http://www.cyberciti.biz/tips

Debian Linux apt-get package management cheat sheet

Posted By LinuxTitli On May 9, 2005 @ 12:21 pm In Debian Linux, Howto, Linux, Sys admin, Tips, Ubuntu Linux | 6 Comments

[1]

Both Debian and Ubuntu Linux provides a number of package management tools. This article summaries package management command along with it usage and examples for you.

(1) apt-get : APT is acronym for Advanced Package Tool. It supports installing packages over internet (ftp or http). You can also upgrade all packages in single operations, which makes it even more attractive.

(2) dpkg : Debian packaging tool which can be use to install, query, uninstall packages.

(3) Gui tools:

You can also try GUI based or high level interface to the Debian GNU/Linux package system. Following list summaries them:
(1) aptitude [2]: It is a text-based interface to the Debian GNU/Linux package system.
(2) synaptic [3]: GUI front end for APT

Red hat Linux package names generally end in .rpml similarly Debian package names end in .deb, for example:
apache_1.3.31-6_i386.deb

apache : Package name
1.3.31-6 : Version number
i386 : Hardware Platform on which this package will run (i386 == intel x86 based system)
.deb : Extension that suggest it is a Debian package

Remember whenever I refer .deb file it signifies complete file name, and whenever I refer package name it must be first part of .deb file. For example when I refer to package sudo it means sudo only and not the .deb file i.e. sudo_1.6.7p5-2_i386.deb. However do not worry you can find out complete debian package list with the following command:

apt-cache search {package-name}

apt-get add a new package

Add a new package called samba
Syntax: apt-get install {package-name}

# apt-get install samba

apt-get remove the package called samba but keep the configuration files

Syntax: apt-get remove {package-name}

# apt-get remove samba

apt-get remove (erase) package and configuration file

Syntax: apt-get –purge remove {package-name}

# apt-get --purge remove samba

apt-get Update (upgrade) package

Syntax: apt-get upgrade

To upgrade individual package called sudo, enter:
# apt-get install sudo

apt-get display available software updates

Following command will display the list of all available upgrades (updates) using -u option, if you decided to upgrade all of the shown packages just hit ‘y’

# apt-get upgrade samba

However if you just wish to upgrade individual package then use apt-get command and it will take care of rest of your worries:
Syntax: apt-get install {package-name}

dpkg command to get package information such as description of package, version etc.

Syntax: dpkg –info {.deb-package-name}

# dpkg --info sudo_1.6.7p5-2_i386.deb | less

List all installed packages

Syntax: dpkg -l

# dpkg -l

To list individual package try such as apache

# dpkg -l apache

You can also use this command to see (verify) if package sudo is install or not (note that if package is installed then it displays package name along with small description):

# dpkg -l | grep -i 'sudo'

To list packages related to the apache:

# dpkg -l '*apache*'

List files provided (or owned) by the installed package (for example what files are provided by the installed samba package)
Syntax: dpkg -L {package-name}

# dpkg -L samba

(H) List files provided (or owned) by the package (for example what files are provided by the uninstalled sudo package)

Syntax: dpkg –contents {.deb-package-name}

# dpkg --contents sudo_1.6.7p5-2_i386.deb

Find, what package owns the file /bin/netstat?

Syntax: dpkg -S {/path/to/file}

# dpkg -S /bin/netstat

Search for package or package description

Some times you don’t know package name but aware of some keywords to search the package. Once you got package name you can install it using apt-get -i {package-name} command:
Syntax: apt-cache search “Text-to-search”

Find out all the Debian package which can be used for Intrusion Detection

# apt-cache search "Intrusion Detection"

Find out all sniffer packages

# apt-cache search sniffer

Find out if Debian package is installed or not (status)

Syntax: dpkg -s {package-name} | grep Status

# dpkg -s samba| grep Status

List ach dependency a package has…

Display a listing of each dependency a package has and all the possible other packages that can fulfill that dependency. You hardly use this command as apt-get does decent job fulfill all package dependencies.

Syntax: apt-cache depends package

Display dependencies for lsof and mysql-server packages:

# apt-cache depends lsof
# apt-cache depends mysql-server

Further reading


Article printed from nixCraft: http://www.cyberciti.biz/tips

URL to article: http://www.cyberciti.biz/tips/linux-debian-package-management-cheat-sheet.html

URLs in this post:

[1] Image: http://www.cyberciti.biz/tips/category/debian-linux

[2] aptitude: http://www.cyberciti.biz/images/blogs/tips_tricks/aptitude030505.jpg

[3] synaptic: http://www.cyberciti.biz/images/blogs/tips_tricks/synaptic.png

[4] cheat sheet: http://www.cyberciti.biz/howto/question/linux/dpkg-cheat-sheet.php

[5] cheat-sheet: http://www.cyberciti.biz/howto/question/linux/apt-get-cheat-sheet.php

[6] APT and Dpkg Quick Reference Sheet: http://www.cyberciti.biz/tips/ref/apt-dpkg-ref.html

Copyright © 2004-2009 nixCraft. All rights reserved.



UPnP Problems?

For some reason, on my home LAN, I have trouble playing Age of Empires. I know, it’s an old game, but I still like to play it. I’m connected at home via a Linksys WRT54G-L. I’ve also connected up a Netgear MR814 used as a hub, but I don’t think that’s the issue. I’m not using dhcp on either of those boxes – I have a separate machine as a dhcp server. Anyways, clicking “Show games” would never work! I thought initially it was some software issue, so I reinstalled Windows and it still didn’t work. I swapped out the WRT54G-L for a switch and then it worked! After some googling, I found that it might be the UPnP. Hopefully, this fixes it. It works now, but then again, it used to work before too. We’ll see.