Public Files

 

Public Docs

 

^ -- Up

 

DG834g Router Commands

Advanced configuration

This guide will show your how to edit DG834g and similar routers to enable it to block adverts and to do port translation using iptables.

 

You will need ssh access to your router. To do this you may need to first flash a custom firmware image onto your router. For this guide, I am using DGTeam Rev. 0849 firmware on a Sky Broadband branded DG834g.

Block ads with custom hosts file

To block adverts from the local network, we will download a custom host file onto the router. After logging into the router we need to cd to a writeable directory, then download the file:

 

  • ssh [email protected]
  • cd /etc
  • wget -O hosts http://winhelp2002.mvps.org/hosts.txt
  •  

    Now we need to kill and restart dnrd so it flushes the dns cache and uses the downloaded host file:

     

  • ps aux | grep dnrd (get the dnrd pid)
  • kill -9 (dnrd pid from above)
  • dnrd -a 192.168.0.1 -m hosts -c off --timeout=0 -b -s 208.67.222.222 -s 208.67.222.220
  •  

    Now your will need to flush the dns cache on your computers (or simply restart them):

     

  • linux: /etc/init.d/nscd restart
  • linux alt: sudo /etc/init.d/dnsmasq restart
  • ubuntu: sudo /etc/init.d/dns-clean restart
  • ubuntu alt: sudo /etc/init.d/networking force-reload
  • windows: ipconfig /flushdns
  •  

    Adverts will now be blocked for every device on the local network

    Port Translation

    To help stop script-kiddies and bots trying to bruteforce my ssh server, I want to map a high number port, ie 23932 on my router to port 22 of my ssh server. This blocks the majority of dumb bots from trying to bruteforce the root account (which is disabled anyway. duh!)

     

  • iptables -A FORWARD -p tcp -d 192.168.0.50 --dport 22 -j ACCEPT
  • iptables -t nat -A PREROUTING -p tcp --dport 23932 -j DNAT --to 192.168.0.50:22
  •  

    For this example, the ssh server is 192.168.0.50 on the default port (22). To make your ssh server more secure, use key-pairs instead of login passwords, or/and google authenticator for 2-stage login. This will make bruteforce attacks useless.

     

    Unfortunately these changes are NOT persistent, so you will need to redo this every time the router is rebooted.