Closed GoogleCodeExporter closed 9 years ago
[deleted comment]
Hello!
I haven't written scripts for some time, so there may be mistakes =/
So, please:
1) check that:
# nvram get wan0_ifname
gives the external network interface name
2) I assume that VOIP uses UDP (change to TCP if needed iptables -A FORWARD -p
tcp .....)
Try to add the following to /etc/storage/post_iptables_script.sh:
----------------------------------
#!/bin/sh
### Custom user script
### Called after internal iptables reconfig (firewall update)
wan_ifname=`nvram get wan0_ifname`
lan_ifname=`nvram get lan_ifname`
VOIP_srv="10.0.10.4"
allowed_ips="67.108.9.160/27 209.31.18.0/24 64.61.93.0/24"
for ip in $allowed_ips ; do
iptables -A FORWARD -p udp -i $wan_ifname -o $lan_ifname -s $ip \
-d $VOIP_srv -j ACCEPT 2>/dev/null
done
exit 0
-----------------------------------
Then run:
# mtd_storage.sh save
# /etc/storage/post_iptables_script.sh
Check the rules with:
# iptables -nvL
Original comment by d...@soulblader.com
on 21 Nov 2012 at 7:03
Hi I tried your recommendation but it completely blocked tcp access to the
router from the WAN. Below is the output before I removed the rules. Any ideas
on why tcp was blocked?
/etc/storage # iptables -nvL
Chain INPUT (policy ACCEPT 3 packets, 152 bytes)
pkts bytes target prot opt in out source destination
445 88634 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 158 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
8818 853K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
2857 469K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.0/4
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.0/4
udp dpt:!1900
196 10491 doslimit all -- eth3 * 0.0.0.0/0 0.0.0.0/0
state NEW
Chain FORWARD (policy ACCEPT 77584 packets, 28M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.0/4
13623 5550K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
198K 70M doslimit all -- eth3 * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 DROP esp -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP ah -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:1701
0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:500
0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:4500
0 0 ACCEPT udp -- eth3 br0 67.108.9.160/27 10.0.10.4
0 0 ACCEPT udp -- eth3 br0 209.31.18.0/24 10.0.10.4
0 0 ACCEPT udp -- eth3 br0 64.61.93.0/24 10.0.10.4
0 0 ACCEPT udp -- eth3 br0 67.108.9.160/27 10.0.10.4
0 0 ACCEPT udp -- eth3 br0 209.31.18.0/24 10.0.10.4
0 0 ACCEPT udp -- eth3 br0 64.61.93.0/24 10.0.10.4
Chain OUTPUT (policy ACCEPT 3664 packets, 2004K bytes)
pkts bytes target prot opt in out source destination
Chain UPNP (0 references)
pkts bytes target prot opt in out source destination
Chain doslimit (2 references)
pkts bytes target prot opt in out source destination
191 9680 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcpflags: 0x17/0x02 limit: avg 20/sec burst 30
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcpflags: 0x17/0x02
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcpflags: 0x17/0x04
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 limit: avg 2/sec burst 5
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW LOG flags 7 level 4 prefix "ACCEPT "
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW LOG flags 7 level 4 prefix "DROP "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain maclist (0 references)
pkts bytes target prot opt in out source destination
/etc/storage #
Original comment by bobmalec...@gmail.com
on 23 Nov 2012 at 5:14
ok so I think your after portforward from external source ip to a destination
ip within the lan. (i.e for me ssh from my works pc (static ip) to my ssh
server but didnt want ssh open to the world))
enable ssh on router
edit /etc/storage/post_iptables_script.sh
to the following # = comment
--------------------------------------------------
#!/bin/sh
### Custom user script
### Called after internal iptables reconfig (firewall update)
### mtd_storage.sh save
### /etc/storage/post_iptables_script.sh
## Sleep for 20 Seconds to wait for modem to establish out side connection.
(might not be needed)
sleep 20
# Get my external ip address.
ipname=`ifconfig ppp0 | grep 'inet addr' | awk -F: '{print $2}' | awk '{print
$1}'`
baseip=`echo "$ipname/32"` # my outside ip address/32
# Note : 80.xxx.xxx.xxx my works pc static ip..
# --dport open port externally (so Im forwarding port 4443 from external to
4443 on 192.168.1.111
# 192.168.1.111:4443 my internal ssh server on the lan running ssh on port 443
#create pre routing rule and Port Forward Rule.
iptables -t nat -A PREROUTING -s 80.xxx.xxx.xxx/32 -p tcp -d $baseip --dport
4443 -j DNAT --to 192.168.1.111:4443
iptables -I FORWARD -s 80.xxx.xxx.xxx/32 -d 192.168.1.111/32 -p tcp -m tcp
--dport 4443 -j ACCEPT
exit 0
----------------------------
Then run:
# mtd_storage.sh save
# /etc/storage/post_iptables_script.sh
iptables -nvL
Chain FORWARD (policy ACCEPT 35893 packets, 3868K bytes)
pkts bytes target prot opt in out source destination
388 61880 ACCEPT tcp -- * * 80.xxx.xxx.xxx 192.168.1.111 tcp dpt:4443
works a treat in that I now have an ssh tunnel that only I can connect to from
my works pc.
Original comment by cryton2...@gmail.com
on 28 Jun 2013 at 12:15
+1 For a graphical iptables rule editor that survive reboots. The created rules
should also be stored in the configuration backup ("Save Setting to a File:")
and should be able to be restored when "Restore Settings from a File:".
Original comment by c...@vakantieland.nl
on 5 Apr 2014 at 5:23
Original issue reported on code.google.com by
bobmalec...@gmail.com
on 21 Nov 2012 at 4:14