Need help configuring my router hardware firewall with IPTables.

Heya guys.

I need help configuring my hardware firewall. My router is the Westell Versalink 7500, and it appears to follow the IPTables syntax.

Now, I am aware that the firewall works when I scan the ports with GRC Shields Up! (by not responding to the ICMP ping), but I am unable to get ports 20 & 21 stealthed.

Here are my current rules:

#! /bin/sh
# 
# Author: Stanley Chan
#
# Version 06/27/08
#
# /etc/init.d/firewall
#
#
### Based on rules from:
### http://www.novell.com/coolsolutions/feature/18139.html
### http://www.linuxquestions.org/questions/linux-security-4/stealth-iptables-ruleset-21338/
### http://fixunix.com/security/17626-shields-up-reports-one-open-port-through-iptables.html
### http://www.dslreports.com/forum/r20642422-Help-Configuring-Router-IPTables-to-stealth-all-ports-
#
#
### BEGIN INIT INFO
# Provides: Firewall for Router/Modem/Switch [Westell Versalink 7500]
# Required-Start: $network syslog
# Required-Stop:
# Should-Stop:
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Short-Description: Firewall Configuration
### END INIT INFO
#
#


##############################################################################
# DEFAULT POLICY
SetDefaultPolicy() {
	# Drop everything
	iptables -P INPUT DROP
	iptables -P OUTPUT DROP
	iptables -P FORWARD DROP
}


##############################################################################
# FLUSH TABLES
FlushTables() {
	iptables -F -t nat
	iptables -F -t mangle
	iptables -F -t filter
	iptables -X
}


##############################################################################
# ROUTING
EnableRouting() {
	echo 1 > /proc/sys/net/ipv4/ip_forward
}


DisableRouting() {
	echo 0 > /proc/sys/net/ipv4/ip_forward
}


##############################################################################
# FORWARDING
SetForwardingRules() {
	iptables -A FORWARD -i $IF_PUB -o $IF_PRV -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A FORWARD -i $IF_PRV -o $IF_PUB -j ACCEPT
}


##############################################################################
# Stan's Custom Rules
SetCustomRules() {
	iptables -N inbound
	iptables -A INPUT -i eth0 -j inbound

	iptables -A INPUT -i eth0 -p tcp --syn -j DROP
	iptables -A INPUT -i eth0 -p tcp --dport 0 -j DROP
	iptables -A INPUT -i eth0 -p tcp --dport 1 -j DROP
	iptables -A INPUT -i eth0 -p udp --syn -j DROP
	iptables -A INPUT -i eth0 -p udp --dport 0 -j DROP
	iptables -A INPUT -i eth0 -p udp --dport 1 -j DROP

	# Drop all traffic that's not allowed
	iptables -A INPUT -i eth0 -d $YOURBOX -j LOG --log-level 7 --log-prefix "Default Deny"
	iptables -A INPUT -j DROP

	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
}


##############################################################################
# LOOPBACK
SetLoopbackRules() {
	# Allow everything
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT
}


##############################################################################
# PRIVATE INTERFACES
SetPrivateInterfaceRules() {
	# Allow everything
	iptables -A INPUT -i $IF_PRV -s $NET_PRV -j ACCEPT
	iptables -A OUTPUT -o $IF_PRV -d $NET_PRV -j ACCEPT
}


#############################################################################
# PUBLIC INTERFACES
SetPublicInterfaceRules() {
	iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -o $IF_PUB -j ACCEPT
}


##############################################################################
# SOURCE NAT
EnableSourceNAT() {
	# Then source NAT everything else
	iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j SNAT --to $IP_PUB
}


# Various ICMP
SetICMP_Open() {
	iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
	iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
	iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
	iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
}


# SSH (on a non-standard port)
SetSSH_Open() {
	iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB --dport 2202 -j ACCEPT
}


##############################################################################
# Destination NAT

# smtp
SetSMTP_DNAT() {
	iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j DNAT --to 192.168.1.254
	iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport smtp -j ACCEPT
}


# pop3
SetPOP3_DNAT() {
	iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport pop3 -j DNAT --to 192.168.10.254
	iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport pop3 -j ACCEPT
}


# Webmail (444->443)
SetWebmail_DNAT() {
	iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j DNAT --to 192.168.10.254:443
	iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp --dport 443 -j ACCEPT
}


# http
SetHTTP_DNAT() {
	iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j DNAT --to 192.168.10.253
	iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport http -j ACCEPT
}


# Blocked protocols
SetBlockedProtocols() {
	# Block all normal irc (used by botnets)
	iptables -A INPUT -p tcp --dport irc -j DROP
	iptables -A INPUT -p udp --dport irc -j DROP
	iptables -A INPUT -p tcp --dport irc-serv -j DROP
	iptables -A INPUT -p udp --dport irc-serv -j DROP
	iptables -A INPUT -p tcp --dport ircs -j DROP
	iptables -A INPUT -p udp --dport ircs -j DROP
}


# Blocked hosts
SetBlockedHosts() {
	iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j DROP --reject-with icmp-host-prohibited
	iptables -A FORWARD -i $IF_PUB -s 10.220.231.236 -j DROP --reject-with icmp-host-prohibited
}


# Blocked networks
SetBlockedNetworks() {
	iptables -A INPUT -i $IF_PUB -s 10.220.232.0/24 -j DROP --reject-with icmp-net-prohibited
	iptables -A FORWARD -i $IF_PUB -d $IP_PUB -s 10.220.232.0/24 -j DROP --reject-with icmp-net-prohibited
}


# Specify things to drop before logging
SetPrelogDropRules() {
	# DHCP
	iptables -A INPUT -i $IF_PUB -p udp --sport bootps -j DROP
}


# Log those on the public interface
SetLoggingRules() {
	iptables -A INPUT -i $IF_PUB -j LOG --log-prefix="INPUT   "
	iptables -A OUTPUT -o $IF_PUB -j LOG --log-prefix="OUTPUT  "
	iptables -A FORWARD -j LOG --log-prefix="FORWARD "
#	iptables -t nat -A PREROUTING -i $IF_PUB -j LOG --log-prefix="nPre    "
#	iptables -t nat -A POSTROUTING -o $IF_PUB -j LOG --log-prefix="nPost   "
#	iptables -t nat -A OUTPUT -o $IF_PUB -j LOG --log-prefix="NAT OUT "
}


# Drop them all
SetDropRules() {
	# Reset tcp connection attempts on all other ports
	# This is the standard TCP behaviour for a closed port. Reading
	# suggests there is no value in stealthing ports and since some are
	# open on this host it doesn't seem to matter. Therefore, let's be a 
	# good TCP citizen
	### Stan- Changed rule from REJECT to DROP for stealthing
	iptables -A INPUT -p tcp -j DROP --reject-with tcp-reset
}


##############################################################################
# SCRIPT ENTRY POINT

echo -n "Firewall Configuration..."
echo $1

##############################################################################
# ENVIRONMENT

# Private interface
IF_PRV=eth0
IP_PRV=192.168.1.1
NET_PRV=192.168.1.0/24

# Public interface
IF_PUB=eth1
IP_PUB=10.0.0.1
NET_PUB=10.0.0.0/24

# Others
ANYWHERE=0.0.0.0/0

. /etc/rc.status
rc_reset


##############################################################################
# COMMAND LINE

case "$1" in
	start)
		SetDefaultPolicy
		FlushTables

		EnableRouting

		SetBlockedProtocols
		SetBlockedNetworks
		SetBlockedHosts

		SetForwardingRules

		SetCustomRules

		SetLoopbackRules
		SetPrivateInterfaceRules
		SetPublicInterfaceRules

		EnableSourceNAT

		SetICMP_Open
		SetSSH_Open

		SetSMTP_DNAT
		SetPOP3_DNAT
		SetWebmail_DNAT
		SetHTTP_DNAT

		SetPrelogDropRules
		SetLoggingRules
		SetDropRules
		;;

	stop)
		SetDefaultPolicy
		FlushTables

		SetPrivateInterfaceRules
		SetPublicInterfaceRules
		;;

	restart)
		$0 stop
		$0 start
		;;

	*)
		;;
esac

rc_exit

Now, I understand that the firewall accepts packets once connections have been established and related. Can port 21 be reported closed because of some application that established the connection?

Thanks for your help, guys. Here are other threads that report my progress on this: http://www.dslreports.com/forum/r20642422-Help-Configuring-Router-IPTables-to-stealth-all-ports- & http://www.dslreports.com/forum/r20021710-Help-Tweaking-Westell-Versalink-327W-Firewall-for-Starcraft

EDIT- Updated rules. Still unable to stealth all ports :frowning: .

GRC (of other few scanners) reports ports 20 & 21 closed and not stealth. Individual port scan from GRC of 500 reports closed (while service port scanning of first 1056 ports reports stealthed). Huh? Can anyone help?

Hi, just a suggestion. You could ask at wilders security forum, they have a linux guru regular there by the user name of ‘mrkvonic’ that may can help. Hope this helps,tim