Have you read this page already?
Suppose I add some stuff to iptables by telneting to the router and adding stuff manually. The changes will then work without a reboot, but they will be lost if the router is rebooted for some reason.
How do I prevent this from happening? I've seen some references to "flashfs", but any information I'm able to find always seems to require prior knowledge, and then I'm stuck...
I'm running the latest custom firmware from Oleg, in case it matters.
Have you read this page already?
In short:
1. mkdir -p /usr/local/sbin
2. make file post-firewall and put all the changes you make there (remember to start file with #!/bin/sh)
(ex.
echo "#!/bin/sh" > post-firewall
echo "iptables -a INPUT...." >> post-firewall
...)
2.1 Test your script Ex: ./post-firewall
3. flashfs save
4. flashfs commit
5. flashfs enable
6. reboot
7. Everytime you wish to edit the post-firewall script you have to repeat steps 2-4 and 6.
Sjur
Thanks, both of you.
Oleg, I had seen that page before, but I'd forgotten all about it.
Sjur, you forgot to set the script to executable (+x) in you "recipe", but you did manage to avoid using vi.... :-)
I think I've gotten the gist of it now. I'll test it later...
Oh, yeah. chmod +x. Good.
And yes, vi is kinda picky on who its friends are
Maybe I should aks if anyone has compiled another texteditor like pico or something...
Sjur
It worked as advertised, and my iptables for the FORWARD chain now reads:
My sons computer is connected by wireless, and I've made a manual assignment forcing his MAC address to always be given the 192.168.12.105 IP address by the router. It seems to me I should now have prevented any packets being forwarded between the LAN and the WAN from 22:30 in the evening to 07:00 in the morning. I've used two rules for each direction to get past midnight, but maybe I could have used one rule that said to accept packets from 07:00 to 22:30 instead?Code:Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:6112 DROP all -- 192.168.12.105 anywhere TIME from 22:30:00 to 23:59:59 on Sun,Mon,Tue,Wed,Thu,Fri,Sat DROP all -- 192.168.12.105 anywhere TIME from 00:00:00 to 07:00:00 on Sun,Mon,Tue,Wed,Thu,Fri,Sat DROP all -- anywhere 192.168.12.105 TIME from 22:30:00 to 23:59:59 on Sun,Mon,Tue,Wed,Thu,Fri,Sat DROP all -- anywhere 192.168.12.105 TIME from 00:00:00 to 07:00:00 on Sun,Mon,Tue,Wed,Thu,Fri,Sat
I've just used -A to add these four rules in the post-firewall script.
Oh, and one more thing: What is the purpose of the rule that says to accept udp packets to port 6112? This one is added by the router itself, and I don't know the purpose.
Starcraft, just disable it.Originally Posted by oyvindk