Select Page

RUT240 Firewall

Summary #

RutOS uses a standard Linux iptables package as its firewall, which uses routing chains and policies to facilitate control over inbound and outbound traffic. This chapter is an overview of the Firewall section.

The information in this page is updated in accordance with the RUT2XX_R_00.01.12 firmware version.

General Settings #

The General Settings tab is used to configure the main policies of the device’s firewall. The figure below is an example of the General Settings section and the table below provides information on the fields contained in that section:

Network firewall general general.PNG
Field NameValueDescription
Drop invalid packetsyes | no; Default: noA “Drop” action is performed on a packet that is determined to be invalid
InputReject | Drop | Accept; Default: AcceptAction* that is to be performed for packets that pass through the Input chain
OutputReject | Drop | Accept; Default: AcceptAction* that is to be performed for packets that pass through the Output chain
ForwardReject | Drop | Accept; Default: RejectAction* that is to be performed for packets that pass through the Forward chain

*When a packet goes through a firewall chain it is matched against all the rules of that specific chain. If no rule matches said packet, an according Action (Drop, Reject or Accept) is performed

Accept – packet gets to continue down to the next chain

Drop – packet is stopped and deleted

Reject – packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent to the source of the dropped packet

DMZ #

By enabling DMZ for a specific internal host (e.g., your computer), you will expose that host and its services to the router’s WAN network (i.e. – the Internet).

Network firewall general dmz.PNG
Field NameValueDescription
Source zoneyes | no; Default: noToggles DMZ On or Off
DMZ host IP addressip; Default: ” “Internal host to which the DMZ rule will be applied

Zone Forwarding[edit | edit source] #


A zone section groups one or more interfaces and serves as a source or destination for forwardings, rules and redirects. The Zone Forwarding section allows you to configure these forwardings.

Network firewall general zone.PNG
Field NameValueDescription
Source zonegre: gre tunnel | hotspot: | l2tp: l2tp | pptp: pptp | vpn: openvpn | wan: ppp | lan: lanThe source zone from which data packets will redirected from
Destination zonesgre: gre tunnel | hotspot: | l2tp: l2tp | pptp: pptp | vpn: openvpn | wan: ppp | lan: lanThe destination zone to which data packets will be redirected to
Default forwarding actionReject | Drop | AcceptAction to be performed with the redirected packets

Port Forwarding[edit | edit source] #

The Port Forwarding window is used to set up servers and services on local LAN machines. Below is an overview of Port Forwarding default rules.

Network firewall port forwarding.PNG

New Port Forward Rule[edit | edit source] #


If none of the default rules suit your purposes, you can create custom rules using the New Port Forward Rule tab.

Network firewall port forwarding new.PNG
Field NameValueDescription
Namestring; Default: ” “Name of the rule, used purely for easier management purposes
ProtocolTCP+UDP | TCP | UDP | ICMP | — custom –; Default: TCP+UDPType of protocol of incoming packet
External portinteger [0..65535] | range of integers [0..65534] – [1..65535]; Default: ” “Traffic will be forwarded from this port on the WAN network
Internal IP addressip; Default: ” “The IP address of the internal machine that hosts some service that you want to access from the outside
Internal portinteger [0..65535] | range of integers [0..65534] – [1..65535]; Default: ” “The rule will redirect the traffic to this port on the internal machine

Once you have submitted the required information, click the Add button located in the New Port Forward Rule tab.

Port Forward Rule Configuration #

To configure a Port Forward rule, click the Edit button located next to it. Below is a continuation of the previous New Port Forward Rule example, where we look at the configuration of the newly created rule.

Network firewall port forwarding new configuration.PNG
Field NameValueDescription
Enableyes | no; Default: noToggles a rule ON or OFF
Namestring; Default: ” “The name of the rule. This is used for easier management purposes
ProtocolTCP+UDP | TCP | UDP | ICMP | — custom –; Default: TCP+UDPSpecifies to which protocols the rule should apply
Source zonegre: gre tunnel | hotspot: | l2tp: l2tp | pptp: pptp | vpn: openvpn | wan: ppp | lan: lan  ; Default: wan: pppThe source zone from which data packets will redirected from
Source MAC addressmac; Default: ” “Matches incoming traffic from these MACs only
Source IP addressip; Default: ” “Matches incoming traffic from this IP or range of IPs only
Source portinteger [0..65535] | range of integers [0..65534] – [1..65535]; Default: ” “Matches incoming traffic originating from the given source port or port range on the client host only
External IP addressip; Default: ” “Matches incoming traffic directed at the given IP address only
External portinteger [0..65535] | range of integers [0..65534] – [1..65535]; Default: ” “Specifies the external port, i.e., the port from which the third party is connecting
Internal zonegre: gre tunnel | hotspot: | l2tp: l2tp | pptp: pptp | vpn: openvpn | wan: ppp | lan: lan  ; Default: lan: lanSpecifies the internal zone, i.e., the zone where the incoming connection will be redirected to
Internal IP addressip; Default: ” “Specifies the internal IP address, i.e., the IP address to which the incoming connection will be redirected to
Internal portinteger [0..65535] | range of integers [0..65534] – [1..65535]; Default: ” “Specifies the internal port, i.e., the port to which the incoming connection will be redirected to
Enable NAT loopbackyes | no; Default: noNAT loopback enables your local network (i.e., behind your router/modem) to connect to a forward-facing IP address (such as 208.112.93.73) of a machine that it also on your local network
Extra argumentsstring; Default: ” “Passes additional arguments to iptables. Use with care!

Traffic Rules #

The Traffic Rules page contains a more generalized rule definition. With it you can block or open ports, alter how traffic is forwarded between LAN and WAN and many other things.

Network firewall trafic rules.PNG
FIELD NAMEDESCRIPTION
NameName of the rule, used purely for easier management purposes
ProtocolType of protocol of incoming packet
SourceThe source zone from which data packets will redirected from
DestinationRedirect matched traffic to the given IP address and destination port
ActionAction to be performed with the packet if it matches the rule
EnableToggles the rule ON or OFF. If unchecked, the rule will not be deleted, but it also will not be loaded into the firewall
SortWhen a packet arrives, it gets checked for a matching rule. If there are several matching rules, only the first one is applied, i.e., the order of the rule list impacts how your firewall operates, therefore you are given the ability to sort your list however you deem fit

Traffic Rule Configuration #

To customize a Traffic Rule, click the Edit button located next to it. This way you can fine tune a rule to near perfection, if you should desire that. The figure below is an example of the “Allow-DHCP-Relay” default rule editing. All rules are configured in an identical manner but with different settings.

Network firewall trafic rules edit.PNG
Field NameValueDescription
Enableyes | no; Default: noTurns the rule ON or OFF
Namestring; Default: ” “The name of the rule. This is used for easier management purposes
Restrict to address familyIPv4 and IPv6 | IPv4 only | IPv6 only; Default: IPv4 and IPv6Name of the rule, used purely for easier management purposes
ProtocolTCP+UDP | TCP | UDP | ICMP | — custom –; Default: TCP+UDPSpecifies to which protocols the rule should apply
Source zonegre: gre tunnel | hotspot: | l2tp: l2tp | pptp: pptp | vpn: openvpn | wan: ppp | lan: lan  ; Default: wan: pppSpecifies the external zone, i.e., the zone from which the third party connection will come
Source MAC addressmac; Default: ” “Specifies the mac address of the external host, i.e., the rule will apply only to hosts that have the MAC addresses specified in this field
Source IP addressip; Default: ” “Specifies the IP address or range of IPs of the external host, i.e., the rule will apply only to hosts that have the IP addresses specified in this field
Source portinteger [0..65535] | range of integers [0..65534] – [1..65535]; Default: ” “Specifies the port or range of ports that the external host host will using as their source, i.e., the rule will apply only to hosts that use source ports specified in this field
External IP addressip | ip/netmask | ANY; Default: ANYSpecifies the external IP address or range of external IPs of the local host, i.e., the rule will apply only to the external IP addresses specified in this field
External portinteger [0..65535] | range of integers [0..65534] – [1..65535]; Default: ” “Specifies the external port, i.e., the port from which the third party is connecting
Destination zonegre: gre tunnel | hotspot: | l2tp: l2tp | pptp: pptp | vpn: openvpn | wan: ppp | lan: lan  ; Default: lan: lanMatch forwarded traffic to the given destination zone only
Destination addressip; Default: ” “Match forwarded traffic to the given destination IP address or IP range only
Destination portinteger [0..65535] | range of integers [0..65534] – [1..65535]; Default: ” “Match forwarded traffic to the given destination port or port range only
ActionDrop | Accept | Reject | Don’t track; Default: noAction to be taken on the packet if it matches the rule. You can also define additional options like limiting packet volume, and defining to which chain the rule belongs. Don’t track – connections with the specified parameters will not be monitored by the Firewall, i.e., no other Firewall rules will be applied to the specified configuration
Extra argumentsstring; Default: ” “Adds extra options (specified in this field) to the rule

Open Ports On Router #

Open Ports On Router rules can open certain ports and redirect hosts connecting to the router from specified zones to specified ports.

Network firewall trafic rules open.PNG
Field NameValueDescription
NAMEstring; Default: ” “The name of the rule. This is used for easier management purposes. The NAME field auto-filled when port numbers are specified, unless the NAME was specified beforehand by the user
PROTOCOLTCP+UDP | TCP | UDP | Other; Default: TCP+UDPSpecifies to which protocols the rule should apply
EXTERNAL PORTinteger [0..65535] | range of integers [0..65534] – [1..65535]; Default: ” “Specifies which port should be opened

New Forward Rule #

New Forward Rules lets you create custom zone forwarding rules

Network firewall trafic rules new.PNG
Field NameValueDescription
Namestring; Default: ” “Name of the rule, used purely for easier management purposes
SourceGRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: LANMatch incoming traffic from selected address family only
DestinationGRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: WANForward incoming traffic to selected address family only

Source NAT #

Source NAT is a specific form of masquerading which allows fine grained control over the source IP used for outgoing traffic, for example to map multiple WAN addresses to internal subnets.

Network firewall trafic rules snat.PNG
Field NameValueDescription
Namestring; Default: ” “Name of the rule, used purely for easier management purposes
ProtocolTCP+UDP | TCP | UDP | Other…; Default: TCP+UDPProtocol of the packet that is being matched against traffic rules
SourceGRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: LANMatch incoming traffic from selected address family only
DestinationGRE | HOTSPOT | L2TP | LAN | PPTP | VPN | WAN; Default: LANForward incoming traffic to selected address family only
SNATip and port [0..65535]; Default: ” “SNAT (Source Network Address Translation) rewrites packet’s source IP address and port
Enableyes | no; Default: noToggles the rule ON or OFF

Custom Rules #

The Custom Rules page provides ultimate freedom in defining your own rules – you can enter them straight into the iptables program. Just type a rule into the text field ant it will get executed as a Linux shell script. If you are unsure of how to use iptables, we advise that you consult with an expert or check the Internet for manuals, examples and explanations.

Network firewall custom rules.PNG

DDOS Prevention #

The DDOS Prevention page allows you to set up protections from various types of DDOS attacks. You will find information on all of these methods bellow.

SYN Flood Protection #

SYN Flood Protection allows you to protect yourself from attacks that exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDOS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network over-saturation.

Network firewall ddos syn.PNG
Field NameValueDescription
Enable SYN flood protectionyes | no; Default: yesToggles the rule ON or OFF
SYN flood rateinteger; Default: 25Set rate limit (packets per second) for SYN packets above which the traffic is considered flooded
SYN flood burstinteger; Default: 50Set burst limit for SYN packets above which the traffic is considered flooded if it exceeds the allowed rate
TCP SYN cookiesyes | no; Default: noEnable the use of SYN cookies (particular choices of initial TCP sequence numbers by TCP servers)

Remote ICMP Requests #

Some attackers use ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. You can set up some custom restrictions to help protect your router from ICMP bursts.

Network firewall ddos icmp.PNG
Field NameValueDescription
Enable ICMP requestsyes | no; Default: yesToggles the rule ON or OFF
Enable ICMP limityes | no; Default: noToggles ICMP echo-request limit in selected period ON or OFF
Limit periodSecond | Minute | Hour | Day; Default: SecondSelect ICMP echo-request period limit
Limitinteger; Default: 10Maximum ICMP echo-request number during the period
Limit burstinteger; Default: 5Indicate the maximum burst before the above limit kicks in

SSH Attack Prevention #

Prevent SSH (allows a user to run commands on a machine’s command prompt without them being physically present near the machine) attacks by limiting connections in a defined period.

Network firewall ddos ssh.PNG
Field NameValueDescription
Enable SSH limityes | no; Default: yesToggles the rule ON or OFF
Limit periodSecond | Minute | Hour | Day; Default: SecondThe period in which SSH connections are to be limited
Limitinteger; Default: 10Maximum SSH connections during the set period
Limit burstinteger; Default: 5Indicate the maximum burst before the above limit kicks in

HTTP Attack Prevention #

An HTTP attack sends a complete, legitimate HTTP header, which includes a ‘Content-Length’ field to specify the size of the message body to follow. However, the attacker then proceeds to send the actual message body at an extremely slow rate (e.g. 1 byte/100 seconds.) Due to the entire message being correct and complete, the target server will attempt to obey the ‘Content-Length’ field in the header, and wait for the entire body of the message to be transmitted, hence slowing it down.

Network firewall ddos hhtp.PNG
Field NameValueDescription
Enable HTTP limityes | no; Default: yesToggles the rule ON or OFF
Limit periodSecond | Minute | Hour | Day; Default: SecondThe period in which HTTP connections are to be limited
Limitinteger; Default: 10Maximum HTTP connections during the set period
Limit burstinteger; Default: 10Indicate the maximum burst before the above limit kicks in

HTTPS Attack Prevention #

This section allows you to enable protection against HTTPS attacks, also known as man-in-the-middle attacks (MITM).

In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the perpetrator secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

Network firewall ddos hhtps.PNG
Field NameValueDescription
Enable HTTPS limityes | no; Default: yesToggles the rule ON or OFF
Limit periodSecond | Minute | Hour | Day; Default: SecondThe period in which HTTPS connections are to be limited
Limitinteger; Default: 10Maximum HTTPS connections during the set period
Limit burstinteger; Default: 10Indicate the maximum burst before the above limit kicks in

Port Scan Prevention #

Port scan attacks scan which of the targeted host’s ports are open. Network ports are the entry points to a machine that is connected to the Internet. A service that listens on a port is able to receive data from a client application, process it and send a response back. Malicious clients can sometimes exploit vulnerabilities in the server code so they gain access to sensitive data or execute malicious code on the machine remotely.

Port Scan #

Port scanning is usually done in the initial phase of a penetration test in order to discover all network entry points into the target system. The Port Scan section provides you with the possibility to enable protection against port scanning software.

Network firewall port scan.PNG
Field NameValueDescription
Enableyes | no; Default: yesToggles the function ON or OFF
Intervalinteger [10..60]; Default: 30Time interval in seconds in which port scans are counted
Scan countinteger [5..65534]; Default: 10How many port scans before blocked

Defending Type #

The Defending Type section provides the possibility for the user to enable protections from certain types of online attacks. These include SYN-FINSYN-RSTX-MasFIN scan and NULLflags attacks.

Network firewall port scan def.PNG
Field NameValueDescription
SYN-FIN attackyes | no; Default: noToggles protection from SYN-FIN attacks ON or OFF
SYN-RST attackyes | no; Default: noToggles protection from SYN-RST attacks ON or OFF
X-Mas attackyes | no; Default: noToggles protection from X-Mas attacks ON or OFF
FIN scanyes | no; Default: noToggles protection from FIN scan attacks ON or OFF
NULLflags attackyes | no; Default: noToggles protection from NULLflags attacks ON or OFF

Helpers #

The NAT Helpers section provides you the option to add firewall exceptions for some VoIP protocols, namely SIP and H.323. In other words, these functions provide a pass-through for VoIP communications between the router’s LAN and WAN.

Technical explanation:

FTP, SIP and H.323 protocols are harder to filter by firewalls since they violate layering by introducing OSI layer 3/4 parameters in the OSI layer 7. NAT helpers are modules that are able to assist the firewall in tracking these protocols. These helpers create the so-called expectations that can be used to open necessary ports for RELATED connections. For example: FTP, GRE and PPTP helpers are enabled by default.

Network firewall helpers.png
Field NameValueDescription
H323yes | no; Default: noToggles H323 filtering ON or OFF
SIPyes | no; Default: noToggles SIP filtering ON or OFF

Submit a Comment

Your email address will not be published. Required fields are marked *