(edit... updated detection of interfaces when user runs post-firewall)
(edit... updated pf code to make it look better mostly)
This should make it easier for you... I hope...
Perform the following, not typing the $ (that just shows it's a command 
) (this information is available here):
Code:
$ flashfs enable
$ mkdir -p /usr/local/sbin
$ vi /usr/local/sbin/post-firewall
Now, I hope you know how to use vi. Basically, to start typing stuff press i for insert. To stop, press ESC. To delete a line, press d twice (if you're not in insert mode). To save (not in insert mode), press colon, the w, then enter. To quit, press colon, then q, then enter. To save and quit, press colon, then wq, then enter 
. "Move around" with the arrow keys (this may be done in or out of insert mode). And that's all I'll cover here.
If you press i, you can paste the following into telnet/putty when you're in vi.
All of this assumes your computer's LAN IP is 192.168.1.10. If it's not, just change 192.168.1.10 to whatever it is.
Code:
#!/bin/sh
wan_if=$1
wan_ip=$2
lan_if=$3
lan_ip=$4
# no arguments
if [ "$#" -eq 0 ]; then
# reset firewall rules to defaults
iptables -t mangle -F
iptables -t mangle -X
iptables-restore /tmp/filter_rules
iptables-restore /tmp/nat_rules
wan_if=`nvram get wan_ifname`
wan_ip=`nvram get wan_ipaddr_t`
lan_if=`nvram get lan_ifname`
lan_ip=`nvram get lan_ipaddr`
fi
pf() {
# pf(port,ip,optional localport,optional protocol)
if [ $4 ]; then prot=$4; else prot=tcp; fi
out="iptables -t nat -A PREROUTING -p $prot -d $wan_ip --dport $1 -j DNAT --to $2"
if [ $3 ] && [ $1 -ne $3 ]; then out=$out:$3; fi
$out
out="iptables -A FORWARD -p $prot -d $2 --dport "
if [ "$3" ]; then out=$out$3; else out=$out$1; fi
out="$out -j ACCEPT"
$out
}
####### PORT FORWARDING #######
pf 21 192.168.1.10
pf 80 192.168.1.10
OR, you could have a much simpler (but harder to configure later) post-firewall:
Code:
#!/bin/sh
wan_if=$1
wan_ip=$2
lan_if=$3
lan_ip=$4
iptables -t nat -A PREROUTING -p tcp -d $wan_ip --dport 21 -j DNAT --to 192.168.1.10
iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d $wan_ip --dport 80 -j DNAT --to 192.168.1.10
iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 80 -j ACCEPT
Once you've gotten that in vi (vi editing /usr/local/sbin/post-firewall, of course), ESC (if you haven't already; exit insert mode), and press colon, and press wq, and press enter 
. Now type this:
Code:
$ chmod +x /usr/local/sbin/post-firewall
$ flashfs save
$ flashfs commit
If you chose the first version of post-firewall I chose you, you should be able to simply run post-firewall each time you make a modification to test it.
Otherwise, reboot (you might have to reboot the first time anyway).
I think that about covers it. To add more ports, modify post-firewall some more with vi, save it, and then type:
Code:
$ flashfs save
$ flashfs commit
Sorry if you knew all of that... If I made any mistakes, or if that doesn't work, please tell me. I'm likely to have made some, but they're probably not devastating
Reply With Quote
Originally Posted by tomilius
