Custom rule in firewall? (GL-X750)

legepe · 2022-02-03T17:36:30.965Z

Hi everyone…
I have a GL iNet x750 router and just wondering if anyone knows should it have in the firewall a custom rule already written see below
What is this for? Should I remove it?
Any advice very welcome
Thanks
legepe

force_dns() {
# lanip=$(ifconfig br-lan |sed -n ‘s/.dr:(.) Bc.*/\1/p’)
lanip=$(uci get network.lan.ipaddr)
tor=$(ps|grep /usr/sbin/tor|grep -v grep)
[ “$1” = “add” ] && {
ip=$(uci get glconfig.general.ipaddr)
[ -z “$ip” ] && ip=$(uci get network.lan.ipaddr)
iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $ip

	uci set glconfig.general.ipaddr=$lanip
	uci commit glconfig
	iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
	[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
	iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
	[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip

	if [ -n "$tor" ];then
		iptables -t nat -C PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
		[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
		iptables -t nat -C PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
		[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
	fi


	
}
[ "$1" = "remove" ] && {
	lanip=$(uci get glconfig.general.ipaddr)
	[ -z "$lanip" ] && lanip=$(uci get network.lan.ipaddr)
	iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
	[ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
	iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
	[ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip

	if [ -n "$tor" ];then
		iptables -t nat -D PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
		iptables -t nat -D PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
	fi
}

}

force=$(uci get glconfig.general.force_dns)
if [ -n “$force” ]; then
force_dns add
else
force_dns remove
fi
gl-firewall

PPTP Passthrough

iptables -t raw -D OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp

alzhao · 2022-02-04T04:40:08.460Z

Force DNS rules tries to override the DNS request of the client side. This can be turned on/off from the UI.

pptp passthrought can be removed which allows client to build pptp tunnel.

legepe · 2022-02-04T10:38:15.763Z

Thanks alzhao
Ive simply removed it from the custom rules. If I understand it correctly it is something not really needed and simply more of a security threat?
The other thing I need advice on is how to beef up as much as possible the security on this router.

alzhao · 2022-02-05T06:09:00.246Z

Yes you can remove it directly as long as you don’t need.

wcs2228 · 2022-02-05T15:58:21.238Z

How would this be considered a security threat?

You can enable/disable on Admin Panel → MORE SETTINGS → Custom DNS Server → Override DNS Settings for All Clients.

legepe · 2022-02-08T18:26:23.303Z

wcs2228:

How would this be considered a security threat?

I guess its my ignorance around the tech of knowing what to confirgure/change within the routers settings
It just seemed very odd to me that something would already be written into a custom rule… but again this must be down to my ignorance of such things
I do need help obviously with securing the router as much as poss, and would appreciate any help there

wcs2228 · 2022-02-08T20:55:14.558Z

I think that particular custom rule was added by GL.iNet as a feature and it is good that they have a setting for owners to enable or disable the feature.

In terms of overall security, I believe the GL.iNet routers are about as secure as other router brands on the market, especially those that run OpenWRT. At the same time, no router can be considered 100% perfectly secure and there are often bugs in the firmware that allow the bad guys to exploit.

Besides the router, there may be hardware/software vulnerabilities in your computers, smartphones and other devices that allow the bad guys to come in, so you should consider security holistically. You should update these devices regularly, install antivirus/firewall, be wary of emails and websites, do backups, etc.

The most basic thing you can do on your router is make sure that have good, strong passwords for the admin/root account and the wifi SSIDs, changing them every so often. Also, use the WPA2/WPA3 with AES encryption, VPN and update the firmware regularly.

All routers (and other devices) have some features installed that not everyone uses, but some may be running by default (i.e., bloatware). If you do not use them, you can try to disable them, but that is not always possible. In general, I do not recommend modifying and/or deleting core functionalities unless you know what it does, so it does not break something and/or gets reinstalled with the next update. If you are not certain, you can ask the manufacturer, which you did in this case of custom rule, with alzhao indicating that it can be turned on/off from the UI and I indicating where that setting is and it is not a significant security risk.

When I worked in I.T. Security, we used to run penetration scans and tests on networks on a regular basis using specialized tools, You can run the free, basic “nmap” software if you want.

legepe · 2022-02-09T12:10:18.987Z

Thanks for reply wcs2228
Regarding VPN, is it more secure to run from router, or does it not make any difference if its run from PC?
Ive played in the past with nmap and some other network monitoring tools but my problem was that I struggled to understand the commands and results of the various things used, and in the end gave up on them.
I will try again and see if there is any difference (with me that is) using nmap
I have strong passwords set up on both the admin and wifi… but its the 4g connection that I am concerned with and again i maybe ignorant with thinking this, but my understanding is that if someone is hacking your router/network through this then an admin password is not so useful. Am I incorrect thinking this?

wcs2228 · 2022-02-10T22:00:38.407Z

The majority of security breaches against the average consumer are not from direct attack on the router. Worms, viruses, ransomware, malware, etc. generally come in via emails, website links, downloaded files, applications, USB drives, etc. that you bring in and infect your devices from the inside.

There is only so much security that your router can provide overall, from the network perimeter. If you do all the basic things I suggested in my previous post, then you should get “pretty good security” from your router at little or no cost. No single item, including disabling features, nmap scans and strong passwords, will provide perfect protection, but they are free and together are worthwhile.

The average consumer cannot spend the $$$ to secure their environment like governments, financial institutions and larger corporations, so each of us should evaluate the value of their assets vs. risks and consider the cost-benefit tradeoffs. Personally, I do the basic things above on my router, computers, smartphones and other devices and I am careful about opening unknown emails, websites, files, etc. I encrypt really confidential files and/or have strong passwords to websites.

VPN is mainly for privacy, more than for security, to prevent others from knowing your data and location. I only run VPN selectively on my computers, not on the router, because:

When banks/financial institutions and certain websites (including gmail) notice your VPN IP is from a suspicious location, they request 2FA or block you.
Certain websites may just block access from your VPN IP
I enable Killswitch when using VPN, so that Internet access is blocked if the VPN connection drops even though the Internet connection is still active. When this happens, other members of my household may freak out that “the world has fallen apart”.
VPN app installed on computers provide encryption starting from the client devices, not just from the router.