Firewall rules

11 views
Skip to first unread message

Rail Aliev

unread,
Apr 28, 2007, 1:34:05 AM4/28/07
to neptune354-dev
Hi all.

I want to open ssh port and connect to my router outside but as I can
see there is no rule for port 22 (or whatever dropbear listen).

What is the "true way" to add custom iptables rules?

I tried to add a rule via /mnt/script.sh but somehow all the rules
gone after reboot (all = all normal, even masquerading).

I tried to add a rule info rc/firewall.c (with hardcoded port value
for the testing) with the same success... :(

Any idea?

Rail Aliev

unread,
Apr 28, 2007, 3:36:56 AM4/28/07
to neptune354-dev
More details on this issue.

Here is my changes in router/rc/firewall.c file:
Index: firewall.c
===================================================================
--- firewall.c (revision 166)
+++ firewall.c (working copy)
@@ -2762,6 +2762,13 @@
if(!nvram_match("ipcp_netmask_enable","1"))
#endif
save2file("-A INPUT -i %s -p tcp -m tcp --dport 23 -j
DROP\n", wan_if_name[conn_no]);
+#if 0
+ /* Dropbear port */
+ if ( nvram_match( "dropbear_enable", "1" ) &&
nvram_invmatch( "dropbear_port", "" ) &&
+ nvram_invmatch( "dropbear_port", "0" ) )
+ save2file("-A INPUT -i %s -p tcp -m tcp
--dport %d -j ACCEPT\n",
+ wan_if_name[conn_no],
atoi( nvram_safe_get("dropbear_port") ) );
+#endif

/* ICMP request from WAN interface */
//targ = nvram_match("block_wan", "1") ? log_drop : log_accept ;

To enable it change to #if 1.

This patch adds 1 line to /tmp/.ipt file
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
which seems OK for me. But after reboot I got messed rules. iptable -L
-n shows very few lines which is not normal. nat table seems OK.

Runing iptables-restore < /tmp/.ipt fails with error in last line (COMMIT)...

Any idea?

Marco Vedovati

unread,
Apr 29, 2007, 3:43:45 AM4/29/07
to neptune...@googlegroups.com
Hi,
I had already tried what u wanna do now, and I had encountered your
same problems. The fact is that the default iptables rules seems
completely non-sense. Look for example at the policy for INPUT: it is
ACCEPT, and this is not good.
I was able to enable the wan access to ssh executing the script
attached.
Keep in mind that the iptables rules are restored from the .ipt file
only upon adsl connection, so if you execute this script via the
startup script feature it will not work, because the rules in script
will be overwritten by the firmware rules.
We need to rewrite all the iptables rules, maybe instead of c files
using a bash script to speed up writing and testing....

Btw, now I am using openwrt with kernel 2.6: there are newer adsl
drivers, preliminary support for wireless and hotplug. I must admit
that openwrt is much more stable than the neptune firmware, and the
possibility of expansion and customization is incredible...


bye,
Marco


wag_init_scritp.sh
PGP.sig

Rail Aliev

unread,
Apr 29, 2007, 4:45:41 AM4/29/07
to neptune...@googlegroups.com
> Btw, now I am using openwrt with kernel 2.6: there are newer adsl
> drivers, preliminary support for wireless and hotplug. I must admit
> that openwrt is much more stable than the neptune firmware, and the
> possibility of expansion and customization is incredible...

Do you use the trunk? Any patches?

Marco Vedovati

unread,
Apr 29, 2007, 6:21:56 AM4/29/07
to neptune...@googlegroups.com

Il giorno 29/apr/07, alle ore 10:45, Rail Aliev ha scritto:

>
> Do you use the trunk? Any patches?


yes, I use trunk (kamikaze), patched (see attachment) because of the
switch not automatically detected.

adm6996l.diff
PGP.sig

Rail Aliev

unread,
Apr 29, 2007, 7:09:52 AM4/29/07
to neptune...@googlegroups.com
> > Do you use the trunk? Any patches?
>
>
> yes, I use trunk (kamikaze), patched (see attachment) because of the
> switch not automatically detected.

Ok, the same as in https://dev.openwrt.org/ticket/1614.
Will try to get my modem working these days. Wish me luck.

Any tip or advise? :)

Marco Vedovati

unread,
Apr 29, 2007, 7:59:21 AM4/29/07
to neptune...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Il giorno 29/apr/07, alle ore 13:09, Rail Aliev ha scritto:

>
> Ok, the same as in https://dev.openwrt.org/ticket/1614.
> Will try to get my modem working these days. Wish me luck.
>
> Any tip or advise? :)


mmh... in the "make menuconfig" select target ar7-2.6....
About adsl, all u need to do is to edit in the right way the file /
etc/config/network , and then just enter a "ifup wan"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFGNIia8PPSbh9Zs4YRAo0sAKCMdMdeKPfqb1gO81Z0vbpW+20lnQCfQwSt
NKr7wIyehqcdpL5Qu4EvAok=
=n1wt
-----END PGP SIGNATURE-----

Reply all
Reply to author
Forward
0 new messages