Problem solved....no problem at all....se next post

I have just finished installing OpenWrt on my Asus500 router. I did a NMAP scan on the wan port and discovered that all services are open to the public. I haven't made any changes to the default settings, besides installing webif and using webif  to configure NTP and wireless network settings.

/etc/firewall.user looks like this

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

# The following chains are for traffic directed at the IP of the
# WAN interface

iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan

### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
# iptables        -A input_wan      -p tcp --dport 22 -j ACCEPT

### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
# iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT

### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
# iptables        -A forwarding_wan -d 192.168.1.2 -j ACCEPT

It appears that the idea is that one has to change the firewall.user  script in order to open eg. dropbear. But apparently it looks like it doesn't work.
I tried to add these lines

iptables -t nat -A prerouting_wan -p tcp --dport 22 -j DROP
iptables        -A input_wan      -p tcp --dport 22 -j DROP

But the dropbear is still accessible from the internet. In another post concerning firewall trouble I saw that this might help to discover the firewall problems.

/etc# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
1281  171K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp option=!2 flags:SYN/SYN
1628  509K input_rule  all  --  any    any     anywhere             anywhere
1330  476K input_wan  all  --  eth0.1 any     anywhere             anywhere
1628  509K LAN_ACCEPT  all  --  any    any     anywhere             anywhere
    2   122 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     gre  --  any    any     anywhere             anywhere
    5   200 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset
1323  475K REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
  603 28780 TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
16994   12M ACCEPT     all  --  any    any     anywhere             anywhere           state RELATED,ESTABLISHED
  436 21433 forwarding_rule  all  --  any    any     anywhere             anywhere
    0     0 forwarding_wan  all  --  eth0.1 any     anywhere             anywhere
    0     0 ACCEPT     all  --  br-lan br-lan  anywhere             anywhere
  436 21433 ACCEPT     all  --  br-lan eth0.1  anywhere             anywhere

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
1389  426K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
   22  4858 output_rule  all  --  any    any     anywhere             anywhere
   22  4858 ACCEPT     all  --  any    any     anywhere             anywhere
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable

Chain LAN_ACCEPT (1 references)
pkts bytes target     prot opt in     out     source               destination
1330  476K RETURN     all  --  eth0.1 any     anywhere             anywhere
  298 33189 ACCEPT     all  --  any    any     anywhere             anywhere

Chain forwarding_rule (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain input_wan (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:22

Chain output_rule (1 references)
pkts bytes target     prot opt in     out     source               destination

I am quite new to firewall so I can't really pin point the problem myself. To me it appears to be an error in the default configuration, as I believe that all ports on WAN should be blocked by default. Any ideas on how to fix this? Otherwise the router works perfectly

(Last edited by vulcano on 6 Apr 2008, 13:26)

I had a friend of mine do a port scan and then all the ports was closed. So apparently it does work. Its just not posible to port scan from the same network.