On Mon, 7 Apr 2008, Andy Boyett wrote:
>> 2. How can I then test these rules all work?
>> Just with an nmap?
> nmap or any other tool used from an external machine; the default firewall
> rule set looks at the interface, not the destination IP, so testing from
> behind the router will not produce valid data.
Ok. My ip address isn't pingable at the minute so I'll need to call my
ISP...
>
>> Ok so this is what I want:
>> - Only allow people from behind my network to send out packets and then
>> recieve packets in a connection started by someone behind the router.
>> Do not allow anyone from the outside world just to send stuff straight
>> in. They should be dropped...
>> Although its ok to recieve packets from the outside world if they are
>> coming from a connection started by one of my users...
> Netfilter's conntrack functionality is used achieve this.
How do I use that?
Here are the rules I have on my linux box to do this with iptables.
Will this work with openwrt?
/sbin/fw-close.sh:
#!/bin/sh
#
# fw-close.sh
#
# Script that closes the firewall ( drops all packets )
#
# set default policy to DROP on input, forward, output chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# flush any existing rules
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
/sbin/fw-start.sh:
#!/bin/sh
#
# fw-start.sh
#
# Script that starts the firewall ( custom rules )
#
# First, call /sbin/fw-close.sh to drop all packets and
# flush all rules from input, forward, output chains
/sbin/fw-close.sh
# Next, change default output chain policy to ACCEPT
iptables -P OUTPUT ACCEPT
# Next, allow localhost to communicate with local apps
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Next, allow outgoing packets for new connections from this
# box to the outside world, and any related packets from the
# outside world into this box
iptables -A OUTPUT -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow pings since they are a good debugging tool...
iptables -A INPUT -p icmp -j ACCEPT
Ok and then I have fw-open.sh, but that opens everything when I stuff
something up and isn't important at the minute.
So will these rules work if I run them in my openwrt router?
They are in /sbin obviously, but if I place them on the router and call
fw-start.sh will this achieve what I want?
Or will this just block everyone out of the router including internet
access, web gui access and ssh access?
Or are there some extra rules I could add to do what I want?
Or what is required with net filter...?
>
>> - Block people from the outside world sshing into my router, only allow
>> one local ip address to ssh in, how can I do this?
> All external (WAN) ports are closed by default, SSH has to be explicitly
> opened on the WAN side.
Oh cool. So even if I forward port 22 to my computer I'm still safe?
> There is a commented set of rules that gives the basic setup, but the
> following will do it:
> iptables -t nat -A prerouting_wan -p tcp --dport 22 -j DNAT --to 192.168.1.2
> iptables -A forwarding_wan -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
Good. where are the comments? in /etc/firewall.user or whatever?
>
> If you want to understand more about the default rule set, the majority lies
> in /etc/init.d/firewall itself.
>
I shall look...
Thanks for your help, I really appreciate it.
If you could help me out with my other questions I would also greatly
appreciate it.
Thanks,
--
Daniel Dalton
http://members.iinet.net.au/~ddalton/
<[EMAIL PROTECTED]>
_______________________________________________
openwrt-users mailing list
[email protected]
http://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
