I was playing with the iptables setup in order to open the ssh port to outside world and could not get out, how to make sure that the firewall web-gui does not interfere with my settings.

Have any local guru touched this issue? Would there be a hint for non-guru? Thanks.

So far it seems to me that the configuration is stored to /tmp/filter_rules and then passed to iptables.

After that I am able to change the rules through standard iptables commands eg. iptables -I INPUT 7 -p tcp -d xxx.xxx.xxx.xxx --dport 22 -j ACCEPT

It seems that adding this to rc.local helps to have the port opened after reboot, but once there is a change over GUI it seems to get lost.

I was playing with the iptables setup in order to open the ssh port to outside world and could not get out, how to make sure that the firewall web-gui does not interfere with my settings.
It will be difficult to keep the web gui interface from messing with your settings since the router was designed to do this.

I'm working right now to wrap some of the primary 1.0.4.6 binaries with a shell script that will allow you to insert your own scripts both before and after the asus binaries are run. Within your script, you can choose whether or not to run the Asus binary. With this mechanim, you should be able to hook into the web change and apply your customizations live. I plan on having a binary ready within the next few weeks.

For now, I'd recommend setting up a cron job that periodically checks for changes to the tmp file and applies your iptable configs as necessary.

Please let us know your progress in this thread because I'd like to do the same, but am busy with the firmware.

- K.C.

Hello,

unfortunately I do not have much time to play with the device :-(. As I am also a self-learner in the area of linux, scripting, routing, etc. I no not have the patterns to do this right - therefore what I did was just applying "brute force" approach to make it do what I want - I am aware of the fact that it is not a "clean" solution and that it has some drawbacks, but...

Findings (learned by experimeting and some reading - so reality may be different)

- Any "apply" to any network configuration (including firewall) forces the box to reset configuration and restart some network services (eg. also gift, http, etc.)
- To set the iptables, the scripts create config files in /tmp/ (filter_rules, nat_tules, nat_forward_rules) and probably use iptables-restore

Current set-up:

following script takes care of iptable check and setup:

/opt/bin/netupdate


#!/opt/bin/bash

if iptables -L INPUT | grep "ACCEPT tcp -- anywhere anywhere tcp dpt:ssh" &>/dev/null
then
# logger `date` "iptables INPUT rule opening ssh found, assuming no change in network configuration"
# this line should be uncommented if you want to see that nothing is happening in your syslog
else
logger `date` "iptables INPUT does not contain rule for opening ssh, assuming reset of network configuration"

iptables -D INPUT -j DROP # Remove the default last rule to drop everything else
# Close the ftp from outside
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Open port 22 (ssh)

# Additional rules go here (transmission 9090, enh-ctr 2706)

iptables -A INPUT -j DROP # Close the hole and filter everything not matching rules

killall giftd # Kill the giftd

# Additional daemons (httpd, thttpd) can be killed here
fi



and /etc/crontab


SHELL=/bin/sh
PATH=/opt/bin:/opt/sbin:/sbin:/bin:/usr/sbin:/apps/bin:/usr/bin
MAILTO=""
HOME=/
# ---------- ---------- Default is Empty ---------- ---------- #
# m h dom mon dow user command
*/10 * * * * root /opt/bin/netupdate



Outstanding issues & possible conflicts:
- if the box firewall is set to off (iptable INPUT clear, default ACCEPT), above configuration effectively blocks everything except ssh by seting the iptable rules
- torrent performance (which is still very slow compared to utorrent) not better after opening ports on which the client listens :-( [thought it would help). transmission still way faster than enhanced-ctorrent, but 1/5 to utorrent (which may benefit from DHT?). Still it (transmissioncli) gets to 1/30 of the line capacity
- GUI for torrent: not yet played with (why?), there is ctcs for enhanced-ctorrent and native client for transmission, both require some attention (eg. perl, which is not available). CTCS available in unstable ipkd resource