[OpenWrt-Users] configuring firewall

[Andy Boyett]

Daniel Dalton wrote:
> Anyway here is what I want to do.
> Before I list what I want I have two questions:
> 1. What script should I place all my iptables calls in?
/etc/firewall.user

> I want them to be restored if the router reboots or if there is a power 
> dropp out...
Done automatically

> 2. How can I then test these rules all work?
> Just with an nmap?
nmap or any other tool used from an external machine; the default firewall rule set looks at the interface, not the destination IP, so testing from behind the router will not produce valid data.

> Ok so this is what I want:
> - Only allow people from behind my network to send out packets and then 
> recieve packets in a connection started by someone behind the router.
> Do not allow anyone from the outside world just to send stuff straight 
> in. They should be dropped...
> Although its ok to recieve packets from the outside world if they are 
> coming from a connection started by one  of my users...
Netfilter's conntrack functionality is used achieve this.

> - Block people from the outside world sshing into my router, only allow 
> one local ip address to ssh in, how can I do this?
All external (WAN) ports are closed by default, SSH has to be explicitly opened on the WAN side.

> - Allow pings (I think I have code for that...)
Already allowed.

> - forward port 22 to a certain computer on my network (will I still be 
> able to ssh into the router locally if I do this?)
Forwarding will not prevent the ability to connect to the router's LAN ip via ssh as the port forward cares about packets being received via the WAN interface.
There is a commented set of rules that gives the basic setup, but the following will do it:
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j DNAT --to 192.168.1.2
iptables        -A forwarding_wan -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT

If you want to understand more about the default rule set, the majority lies in /etc/init.d/firewall itself.

-Andy