At&t Uverse iptable rules on Motorola NVG510

The following is the output of iptables-save on the NVG510 modem shipped to me by At&t for my Uverse uplink. That's the base-rules, after having disabled any other firewall settings through the GUI.

I haven't really analyzed it in detail, yet, but intend to at some point. It seems to be a bit overcomplicated for a home-modem, IMHO, and I'm surprised to see the 12. addresses which are At&t addresses. Also note that every rule involving At&t's addresses makes use of 0x2e as DSCP for Expedited Forwarding.

Why? Is that vital to keep the service up and needed? I'm not familiar enough with what a DSL modem needs to do to stay online and as said, haven't analyzed the rules in detail - anyways, here they are:

# iptables-save 
# Generated by iptables-save v1.4.0 on Sat Nov  9 18:12:41 2013
*nat
:PREROUTING ACCEPT [613:44800]
:POSTROUTING ACCEPT [178:12131]
:OUTPUT ACCEPT [371:25231]
:CAPTIVEPORTAL - [0:0]
-A POSTROUTING -o br2 -j SNAT --to-source MY_WAN_ADDRESS
COMMIT
# Completed on Sat Nov  9 18:12:41 2013
# Generated by iptables-save v1.4.0 on Sat Nov  9 18:12:41 2013
*mangle
:PREROUTING ACCEPT [10579:1377126]
:INPUT ACCEPT [2223:186318]
:FORWARD ACCEPT [8339:1186065]
:OUTPUT ACCEPT [1847:350508]
:POSTROUTING ACCEPT [10168:1534128]
:ADDR_BLOCK_IP - [0:0]
:ADDR_BLOCK_MAC - [0:0]
:ETHPPROTO - [0:0]
:FLOODLIMIT - [0:0]
:FORWARD_PKTFS - [0:0]
:LOGDROP - [0:0]
:POSTROUTING_PKTFS - [0:0]
:TCPFLAGS - [0:0]
:fsm_o_2 - [0:0]
:fsm_o_2_1 - [0:0]
:fsm_o_2_2 - [0:0]
-A PREROUTING -i br2 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j FLOODLIMIT
-A PREROUTING -i br2 -p udp -m state --state NEW -j FLOODLIMIT
-A PREROUTING -i br2 -p icmp -m state --state NEW -j FLOODLIMIT
-A FORWARD -j FORWARD_PKTFS
-A POSTROUTING -j POSTROUTING_PKTFS
-A LOGDROP -m limit --limit 1/min -j NFLOG --nflog-prefix "DROP MANGLE"
-A LOGDROP -j DROP
-A POSTROUTING_PKTFS -o br2 -j fsm_o_2
-A fsm_o_2 -j fsm_o_2_1
-A fsm_o_2 -j fsm_o_2_2
-A fsm_o_2_1 -d 0.0.0.0/1 -j RETURN
-A fsm_o_2_1 -d 10.0.0.0/8 -j RETURN
-A fsm_o_2_1 -d 128.0.0.0/2 -j RETURN
-A fsm_o_2_1 -d 192.0.0.0/3 -j RETURN
-A fsm_o_2_2 -m mark ! --mark 0x0 -j RETURN
-A fsm_o_2_2 -m iprange --dst-range 12.230.208.0-12.230.211.255 -m dscp --dscp 0x2e -j MARK --set-mark 0x2
-A fsm_o_2_2 -m iprange --dst-range 12.230.208.0-12.230.211.255 -m dscp --dscp 0x2e -j DSCP --set-dscp 0x2e
-A fsm_o_2_2 -m iprange --dst-range 12.230.208.0-12.230.211.255 -m dscp --dscp 0x2e -j CLASSIFY --set-class 0000:0006
-A fsm_o_2_2 -m iprange --dst-range 12.230.208.0-12.230.211.255 -m dscp --dscp 0x2e -j RETURN
-A fsm_o_2_2 -m iprange --dst-range 12.194.0.0-12.194.255.255 -m dscp --dscp 0x2e -j MARK --set-mark 0x2
-A fsm_o_2_2 -m iprange --dst-range 12.194.0.0-12.194.255.255 -m dscp --dscp 0x2e -j DSCP --set-dscp 0x2e
-A fsm_o_2_2 -m iprange --dst-range 12.194.0.0-12.194.255.255 -m dscp --dscp 0x2e -j CLASSIFY --set-class 0000:0006
-A fsm_o_2_2 -m iprange --dst-range 12.194.0.0-12.194.255.255 -m dscp --dscp 0x2e -j RETURN
-A fsm_o_2_2 -j MARK --set-mark 0x10
-A fsm_o_2_2 -j TOS --set-tos 0x00
-A fsm_o_2_2 -j CLASSIFY --set-class 0000:0000
COMMIT
# Completed on Sat Nov  9 18:12:41 2013
# Generated by iptables-save v1.4.0 on Sat Nov  9 18:12:41 2013
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [611:39866]
:OUTPUT ACCEPT [1849:352993]
:CAPTIVEPORTAL - [0:0]
:EST_REL - [0:0]
:FORWARD_ALLOW - [0:0]
:FORWARD_PKTFS - [0:0]
:INGRESS_LAN - [0:0]
:INGRESS_WAN - [0:0]
:LOGDROP - [0:0]
:LOGREJECT - [0:0]
:PINHOLES - [0:0]
:PORTSCAN - [0:0]
:SERVICE - [0:0]
:fsm_o_2 - [0:0]
:fsm_o_2_1 - [0:0]
:fsm_o_2_2 - [0:0]
-A INPUT -j EST_REL
-A INPUT -i lo -j ACCEPT
-A INPUT -d MY_LAN_ADDRESS/32 -i br1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -d MY_WAN_ADDRESS/32 -i br2 -p icmp -m icmp --icmp-type 8 -j LOGDROP
-A INPUT -j SERVICE
-A INPUT -j LOGDROP
-A FORWARD -j FORWARD_PKTFS
-A FORWARD -j EST_REL
-A FORWARD -i br1 -p tcp -j INGRESS_LAN
-A FORWARD -i br1 -p udp -j INGRESS_LAN
-A FORWARD -i br2 -j INGRESS_WAN
-A EST_REL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A EST_REL -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j LOGDROP
-A FORWARD_ALLOW -i br2 -j CAPTIVEPORTAL
-A FORWARD_PKTFS -o br2 -j fsm_o_2
-A INGRESS_WAN -j FORWARD_ALLOW
-A INGRESS_WAN -j LOGDROP
-A LOGDROP -m limit --limit 1/min -j NFLOG --nflog-prefix "DROP FILTER"
-A LOGDROP -j DROP
-A PORTSCAN -m recent --rcheck --seconds 86400 --name portscan --rsource -j DROP
-A PORTSCAN -m recent --remove --name portscan --rsource
-A PORTSCAN -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j NFLOG --nflog-prefix "ALERT FILTER Portscan"
-A PORTSCAN -p tcp -m tcp --dport 139 -m recent --set --name portscan --rsource -j DROP
-A SERVICE -d MY_WAN_ADDRESS/32 -i br1 -p tcp -m tcp --dport 80 -j LOGDROP
-A SERVICE -d MY_WAN_ADDRESS/32 -i br1 -p tcp -m tcp --dport 0 -j LOGDROP
-A SERVICE -i br1 -j ACCEPT
-A SERVICE -i br2 -p tcp -m tcp --dport 7547 -j ACCEPT
-A fsm_o_2 -j fsm_o_2_1
-A fsm_o_2 -j fsm_o_2_2
-A fsm_o_2 -j RETURN
-A fsm_o_2_1 -p icmp -m icmp --icmp-type 5 -j LOGDROP
-A fsm_o_2_1 -p udp -m multiport --dports 68 -j LOGDROP
-A fsm_o_2_1 -d 0.0.0.0/8 -j LOGDROP
-A fsm_o_2_1 -d 127.0.0.0/8 -j LOGDROP
-A fsm_o_2_1 -d 169.254.0.0/16 -j LOGDROP
-A fsm_o_2_1 -d 172.16.0.0/12 -j LOGDROP
-A fsm_o_2_1 -d 192.168.0.0/16 -j LOGDROP
-A fsm_o_2_1 -d 198.18.0.0/15 -j LOGDROP
-A fsm_o_2_1 -d 0.0.0.0/1 -j RETURN
-A fsm_o_2_1 -d 10.0.0.0/8 -j RETURN
-A fsm_o_2_1 -d 128.0.0.0/2 -j RETURN
-A fsm_o_2_1 -d 192.0.0.0/3 -j RETURN
-A fsm_o_2_1 -j LOGDROP
-A fsm_o_2_2 -m mark ! --mark 0x0 -j RETURN
-A fsm_o_2_2 -m iprange --dst-range 12.230.208.0-12.230.211.255 -m dscp --dscp 0x2e -j RETURN
-A fsm_o_2_2 -m iprange --dst-range 12.194.0.0-12.194.255.255 -m dscp --dscp 0x2e -j RETURN
-A fsm_o_2_2 -j RETURN
COMMIT
# Completed on Sat Nov  9 18:12:41 2013

2014-01-14 by 0xpebbles Permalink

att uverse iptables nvg510 modem