IPtable builder
From WL-HDD Wiki
| WL-HDD Contents |
|---|
| What is the WL-HDD |
| Features |
| Pro's/con's |
| Reviews |
| Hacking |
| Inserting the HDD |
| Hacking Guides |
| Basic setup guides |
| Packages guides |
| Requests |
| Troubleshooting |
| This Wiki |
| Credits |
| Editing help |
| Contact Me |
Contents |
Prerequisites
To complete this guide, the following is assumed:
| You are running Oleg's firmware (1.9.2.7-6b or later) |
| You have harddisk partitions up and running with an extended filesystem mounted to /opt |
| You have installed the Ipkg package system. |
| You have configured your partitions to automount. |
The post-firewall file
All iptables rules are placed in the post-firewall file. I have broken this down into five key areas.
- The #!/bin/sh line which tells linux to run the file as a script.
- The 'clear all existing rules' line
- All ACCEPT rules
- All PREROUTING rules
- The 'drop all other connections' line
Make sure your post-firewall file is executable
chmod +x /usr/local/sbin/post-firewall
You can now build up your iptables rules by going through the steps below
Script header
At the top of the script, enter the line
#!/bin/sh
This line is essential
Clear all existing rules
Next enter the following line
iptables -D INPUT -j DROP
ACCEPT rules
Now enter any rules that apply to your setup. Insert each rule on a new line.
SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
FTP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
Webserver (port 81)
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
Admin Pages (port 80)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
The format for these rules is:
iptables -A INPUT -p tcp --dport <relevant port number> -j ACCEPT
PREROUTING rules
For any rule you defined in the ACCEPT rules, you will need a corresponding PREROUTING rule.
SSH
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 22 -j DNAT --to-destination $4:22
FTP
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 21 -j DNAT --to-destination $4:21
Webserver (port 81)
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 81 -j DNAT --to-destination $4:81
Admin Pages (port 80)
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 80 -j DNAT --to-destination $4:80
The format for these rules is:
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport <the port you specified earlier> -j DNAT --to-destination $4:<the port you specified earlier>
Drop all other connections
Finally, add this line to the end of the file
iptables -A INPUT -j DROP
Save and exit
Ctrl + O Ctrl + X
Make changes permanent
flashfs save flashfs commit flashfs enable
Variables used
When reading the above, you will no doubt have noticed that some variables are being used ($1, $2, etc) as well as some terms such as vlan1 etc. For more info on what they mean, have a look at the IPtable variables guide.
For more information on Iptables, visit this web page http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-iptables-options.html
