Iptables (binary only)

Current state (largely broken)

For the 7390 and later, but also for the 7270 with releases from the last years, iptables doesn’t work with ‘connection tracking’ and ‘state matching’. Without these two options a lot of configuration scenarios are not possible. If you look for an iptables/ip6tables solution without the use of connection tracking or state matching you can try to add ip tables form the Freetz menu configuration (make menuconfig), but read on for additional information.

What I understood the reason for connection tracking & state matching not working is two fold. For connection tracking and state matching specifically, AVM has its own connection tracking solution, which uses the same symbol names, causing a conflict with the iptables modules. Secondly the behavior of Packet Acceleration (PA) causes packets not to be handled by the kernel, but by the PA kernel module (Avm_pa.ko). Packet Acceleration is a feature that AVM introduced years back (end 2011).

An reason not to use an older firmware for e.g. the 7270 is a significant vulnerability that was publically misused around February 2014 (vulnerability info). AVM released firmware fixes for most boxes.

What is iptables and who needs it?

iptables is a command line user interface for managing and configuring the built-in Linux kernel netfilter firewall.

It targets users, who want to achieve full control over their network traffic and efficiently protect their private networks from Internet hacker attacks and spy-ware.

Properly configured, the iptables / netfilter package on the FritzBox router protects all devices behind from unwanted access. This filter is able to check, dump, forward, prioritize or manipulate network packages and implement a border line defense against DoS attacks, port scans and unwanted traffic. It can e.g. stop “home calling” of installed software packages etc. This package leverages the FritzBox hardware to a feature-rich, powerful Firewall solution, comparable to expensive professional business grade devices.

The basic netfilter filter engine is built-in into the Linux kernel - this has implications to the different FritzBox types since the 72xx boxes all have a more recent kernel than the 71xx variants. So some features of iptables are only available in the newer 7270.

What is the difference between AVM Firewall and iptables, can they co-exist on the same system?

Traffic targeting the FritzBox: DSL < — > AVM Firewall (NAT) < — > iptables Firewall < — > (FritzBox) < — > iptables Firewall < — > LAN / WLAN

Traffic between the Internet and LAN interfaces: DSL < — > AVM Firewall (NAT) < — > iptables Firewall < — > LAN / WLAN

DMZ or VPN Tunnel traffic to LAN/WLAN : DMZ / Tunnel Interfaces < — > iptables Firewall < — > LAN / WLAN

How to build iptables for Freetz?

Configuration: After successful firmware build and upload

Here an example script to load the necessary modules for the rules described in this wiki:

# the most common modules needed:
modprobe ip_tables
modprobe iptable_filter
modprobe x_tables
modprobe xt_tcpudp

# Alternative LOG und REJECT targets:
modprobe ipt_LOG
modprobe ipt_REJECT

# if one wants to use ip ranges in the rules:
modprobe ipt_iprange

# same for port ranges:
modprobe xt_multiport

# for stateful firewall rules (conntrack):
modprobe xt_state
modprobe xt_conntrack
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_tftp

iptables -N TRANS
# Outbound for surfing the Internet:
# 20 FTP data, 21 FTP, 22 SSH, 25 SMTP, 80 HTTP, 110 POP3, 443 HTTPS, 465 SSMTP, 995 POP3S, 5060 VoIP
# 53 DNS, 67/68 DHCP, 80 HTTP, 123 NTP, 5060 VoIP
iptables -A TRANS -p tcp  -s -m multiport --dport 20,21,22,25,80,110,443,465,995,5060 -j ACCEPT
iptables -A TRANS -p udp  -s -m multiport --dport 53,67,68,80,123,5060 -j ACCEPT
iptables -A TRANS -p icmp -s -j ACCEPT

# conntrack rules for returning data packages:
iptables -A TRANS -m state --state RELATED,ESTABLISHED -j ACCEPT

# ... Some rules for known hosts
# ...

iptables -A TRANS -j LOG --log-prefix "[IPT] DENY-LAN-ACCESS "          # log all dropped packets
iptables -A TRANS -j DROP                                               # PARANOIA LINK

# # # Rules for Fritz Device

iptables -A INPUT -p udp -s -d --sport 68 --dport 67 -j ACCEPT #DHCP
iptables -A INPUT -s -d -j ACCEPT                 # LOCALHOST
iptables -A INPUT -s -j ACCEPT                         # LAN
iptables -A INPUT -s -i lan -j ACCEPT                  # EMERGENCY LAN
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 5060 -j ACCEPT                       # VoIP
iptables -A INPUT -p udp --dport 5060 -j ACCEPT                       # VoIP
iptables -A INPUT -j LOG --log-prefix "[IPT] DENY-FRITZ-ACCESS "      # Log other traffic
iptables -A INPUT -j DROP                                             # PARANOIA IN
iptables -P INPUT DROP                                                # Default policy DROP

iptables -A OUTPUT -d -j ACCEPT                        # Allow LAN
iptables -A OUTPUT -d -j ACCEPT                          # UPnP
iptables -A OUTPUT -d -j ACCEPT
iptables -A OUTPUT -d -j ACCEPT                             # Local Host
iptables -A OUTPUT -p udp -m multiport --dport 53,123,5060 -j ACCEPT  # DNS, TIME, VoIP
iptables -A OUTPUT -p tcp --dport 5060 -j ACCEPT                      # VoIP
iptables -A OUTPUT -p tcp --dport 80 -d -j ACCEPT     # DynDNS
iptables -A OUTPUT -d myMailServer.com -j ACCEPT                      # e-Mail OUT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT     # stateful conntrack
iptables -A OUTPUT -d -p tcp --dport 80 -j ACCEPT       # Plugins Server AVM

# iptables -A OUTPUT -d www.dasoertliche.de    -p tcp --dport 80 -j ACCEPT # Phone book reverse look-up targets
# iptables -A OUTPUT -d www.dastelefonbuch.de  -p tcp --dport 80 -j ACCEPT
# iptables -A OUTPUT -d www.goyellow.de        -p tcp --dport 80 -j ACCEPT
# iptables -A OUTPUT -d www.11880.com          -p tcp --dport 80 -j ACCEPT
# iptables -A OUTPUT -d www.google.de          -p tcp --dport 80 -j ACCEPT
# iptables -A OUTPUT -d www.das-telefonbuch.at -p tcp --dport 80 -j ACCEPT
# iptables -A OUTPUT -d www.search.ch          -p tcp --dport 80 -j ACCEPT
# iptables -A OUTPUT -d www.anywho.com         -p tcp --dport 80 -j ACCEPT

iptables -A OUTPUT -j LOG --log-prefix "[IPT] WARNING-CALL-HOME "      # Log forbidden outbound traffic
iptables -P OUTPUT DROP                                                # and DROP it.

# # # Rules for FORWARD

iptables -P FORWARD DROP
iptables -A FORWARD -j TRANS                                           # LAN - WAN traffic rules
iptables -A FORWARD -j LOG --log-prefix "[IPT] DENY-FWD-ACCESS "

Hints regarding FritzBox 7270:

AVM has customized the printk module while implementing DECT base station functions, that is responsible for the handling of the kernel log messages, and they do not hit the syslog any longer. With this command one can temporary turn off the AVM printk (what leads to unavailability of DECT) to get a real syslog / klog of system messages.

echo STD_PRINTK > /dev/debug

To revert the settings to AVM printk and re-enable DECT type:

echo AVM_PRINTK > /dev/debug

The log appears then again on console 0 and is no longer in the syslog.

You can also try a patch from Ticket #254, but first read the comments carefully.

What is the difference of INPUT, OUTPUT and FORWARD chains

Hints regarding the example code

Isolate guest network from LAN

These rules will prevent access to the local area network, including the box itself from the guest network:

iptables -A INPUT -d -i guest -j DROP
iptables -A FORWARD -i guest -o dsl -j ACCEPT
iptables -A FORWARD -i guest -j DROP
iptables -A OUTPUT -s -o guest -j DROP

The guest network can only use the internet. Assuming the default subnet (