Hi folks,
I just bought a WL-500G Deluxe and it's already up running (using the original firmeware 1.8.2.1), but I have some problems with the firewall configuration.
Can somebody provide me with a good example on how to configure the filter rules?
I do not really understand the WAN to LAN filter table configuration and behaviour resp.. How do I properly use SYN, ACK, RST, etc.?
In the LAN to WAN filter table, I added the following:
src | sport | dst | dport | proto
192.168.1.* | | *.*.*.* | 80 | TCP
192.168.1.* | | *.*.*.* | 443 | TCP
192.168.1.* | | *.*.*.* | 110 | TCP
192.168.1.* | | *.*.*.* | 25 | TCP
192.168.1.* | | *.*.*.* | 20:21 | TCP
What other rules would make sense?
Thanks,
Pierce
tomekmik
24-09-2005, 13:50
I use this script at boot and when i change a rule then i start the script and the new rules will be loaded also at the next boot :-)
#-----------------------------------------------
#!/bin/sh
# Default policy=DROP, Flush FORWARD Chain
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -i br0 -o eth1 -j logdrop
iptables -A FORWARD -i eth1 -o br0 -j logdrop
iptables -I FORWARD 1 -j logdrop -m state --state INVALID
iptables -I FORWARD 2 -i br0 -o br0 -j ACCEPT
#
# Create Chains if not exists or Flush if exists
iptables -L -n | grep "fwi" 1>/dev/null && iptables -F fwi
iptables -L -n | grep "fwi" 1>/dev/null || iptables -N fwi
iptables -L -n | grep "fwo" 1>/dev/null && iptables -F fwo
iptables -L -n | grep "fwo" 1>/dev/null || iptables -N fwo
#
iptables -I FORWARD 3 -i br0 -o eth1 -j fwo
iptables -I FORWARD 5 -i eth1 -o br0 -j fwi
#
# Port Forwarding for Emule
iptables -t nat -L PREROUTING -n | grep "dpt:4662" 1>/dev/null || iptables -t nat -A PREROUTING -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 4662 -j DNAT --to 192.168.1.7
iptables -t nat -L PREROUTING -n | grep "dpt:4672" 1>/dev/null || iptables -t nat -A PREROUTING -p udp -m udp -d xxx.xxx.xxx.xxx --dport 4672 -j DNAT --to 192.168.1.7
#
# DNS
iptables -A fwo -s 192.168.1.0/24 -d xxx.xxx.xxx.xxx/31 -i br0 -o eth1 -p udp --dport 53 -j ACCEPT
iptables -A fwi -d 192.168.1.0/24 -s xxx.xxx.xxx.xxx/31 -o br0 -i eth1 -p udp --sport 53 -j ACCEPT
# http & https
iptables -A fwo -s 192.168.1.0/24 -i br0 -o eth1 -p tcp --dport 80 -j ACCEPT
iptables -A fwi -d 192.168.1.0/24 -o br0 -i eth1 -p tcp --sport 80 -j ACCEPT
iptables -A fwo -s 192.168.1.0/24 -i br0 -o eth1 -p tcp --dport 443 -j ACCEPT
iptables -A fwi -d 192.168.1.0/24 -o br0 -i eth1 -p tcp --sport 443 -j ACCEPT
# ftp & ftp-data
iptables -A fwo -s 192.168.1.0/24 -i br0 -o eth1 -p tcp --dport 20:21 -j ACCEPT
iptables -A fwi -d 192.168.1.0/24 -o br0 -i eth1 -p tcp --sport 20:21 -j ACCEPT
# POP3 & SMTP
iptables -A fwo -s 192.168.1.0/24 -i br0 -o eth1 -p tcp --dport 110 -j ACCEPT
iptables -A fwi -d 192.168.1.0/24 -o br0 -i eth1 -p tcp --sport 110 -j ACCEPT
iptables -A fwo -s 192.168.1.0/24 -d xxx.xxx.xxx.xxx -i br0 -o eth1 -p tcp --dport 25 -j ACCEPT
iptables -A fwi -d 192.168.1.0/24 -s xxx.xxx.xxx.xxx -o br0 -i eth1 -p tcp --sport 25 -j ACCEPT
# Emule
iptables -A fwo -s 192.168.1.7 -i br0 -o eth1 -p udp --sport 4672 -j ACCEPT
iptables -A fwi -d 192.168.1.7 -o br0 -i eth1 -p udp --dport 4672 -j ACCEPT
iptables -A fwo -s 192.168.1.7 -i br0 -o eth1 -p tcp --sport 4662 -j ACCEPT
iptables -A fwi -d 192.168.1.7 -o br0 -i eth1 -p tcp --dport 4662 -j ACCEPT
iptables -A fwo -s 192.168.1.7 -i br0 -o eth1 -p tcp --dport 4661 -j ACCEPT
iptables -A fwi -d 192.168.1.7 -o br0 -i eth1 -p tcp --sport 4661 -j ACCEPT
iptables -A fwo -s 192.168.1.7 -i br0 -o eth1 -p tcp --dport 4242 -j ACCEPT
iptables -A fwi -d 192.168.1.7 -o br0 -i eth1 -p tcp --sport 4242 -j ACCEPT
#-----------------------------------------------