[OpenWrt-Users] configuring firewall
Daniel Dalton
d.dalton at iinet.net.au
Tue Apr 8 09:34:23 CEST 2008
On Mon, 7 Apr 2008, Andy Boyett wrote:
>> 2. How can I then test these rules all work?
>> Just with an nmap?
> nmap or any other tool used from an external machine; the default firewall rule set looks at the interface, not the destination IP, so testing from behind the router will not produce valid data.
Ok. My ip address isn't pingable at the minute so I'll need to call my
ISP...
>
>> Ok so this is what I want:
>> - Only allow people from behind my network to send out packets and then
>> recieve packets in a connection started by someone behind the router.
>> Do not allow anyone from the outside world just to send stuff straight
>> in. They should be dropped...
>> Although its ok to recieve packets from the outside world if they are
>> coming from a connection started by one of my users...
> Netfilter's conntrack functionality is used achieve this.
How do I use that?
Here are the rules I have on my linux box to do this with iptables.
Will this work with openwrt?
/sbin/fw-close.sh:
#!/bin/sh
#
# fw-close.sh
#
# Script that closes the firewall ( drops all packets )
#
# set default policy to DROP on input, forward, output chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# flush any existing rules
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
/sbin/fw-start.sh:
#!/bin/sh
#
# fw-start.sh
#
# Script that starts the firewall ( custom rules )
#
# First, call /sbin/fw-close.sh to drop all packets and
# flush all rules from input, forward, output chains
/sbin/fw-close.sh
# Next, change default output chain policy to ACCEPT
iptables -P OUTPUT ACCEPT
# Next, allow localhost to communicate with local apps
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Next, allow outgoing packets for new connections from this
# box to the outside world, and any related packets from the
# outside world into this box
iptables -A OUTPUT -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow pings since they are a good debugging tool...
iptables -A INPUT -p icmp -j ACCEPT
Ok and then I have fw-open.sh, but that opens everything when I stuff
something up and isn't important at the minute.
So will these rules work if I run them in my openwrt router?
They are in /sbin obviously, but if I place them on the router and call
fw-start.sh will this achieve what I want?
Or will this just block everyone out of the router including internet
access, web gui access and ssh access?
Or are there some extra rules I could add to do what I want?
Or what is required with net filter...?
>
>> - Block people from the outside world sshing into my router, only allow
>> one local ip address to ssh in, how can I do this?
> All external (WAN) ports are closed by default, SSH has to be explicitly opened on the WAN side.
Oh cool. So even if I forward port 22 to my computer I'm still safe?
> There is a commented set of rules that gives the basic setup, but the following will do it:
> iptables -t nat -A prerouting_wan -p tcp --dport 22 -j DNAT --to 192.168.1.2
> iptables -A forwarding_wan -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
Good. where are the comments? in /etc/firewall.user or whatever?
>
> If you want to understand more about the default rule set, the majority lies in /etc/init.d/firewall itself.
>
I shall look...
Thanks for your help, I really appreciate it.
If you could help me out with my other questions I would also greatly
appreciate it.
Thanks,
--
Daniel Dalton
http://members.iinet.net.au/~ddalton/
<d.dalton at iinet.net.au>
More information about the openwrt-users
mailing list