Results 1 to 3 of 3

Thread: iptables set-up

  1. #1

    iptables set-up

    I was playing with the iptables setup in order to open the ssh port to outside world and could not get out, how to make sure that the firewall web-gui does not interfere with my settings.

    Have any local guru touched this issue? Would there be a hint for non-guru? Thanks.

    So far it seems to me that the configuration is stored to /tmp/filter_rules and then passed to iptables.

    After that I am able to change the rules through standard iptables commands eg. iptables -I INPUT 7 -p tcp -d xxx.xxx.xxx.xxx --dport 22 -j ACCEPT

    It seems that adding this to rc.local helps to have the port opened after reboot, but once there is a change over GUI it seems to get lost.
    Last edited by dolphine; 29-12-2006 at 08:02. Reason: typos

  2. #2
    Quote Originally Posted by dolphine View Post
    I was playing with the iptables setup in order to open the ssh port to outside world and could not get out, how to make sure that the firewall web-gui does not interfere with my settings.
    It will be difficult to keep the web gui interface from messing with your settings since the router was designed to do this.

    I'm working right now to wrap some of the primary 1.0.4.6 binaries with a shell script that will allow you to insert your own scripts both before and after the asus binaries are run. Within your script, you can choose whether or not to run the Asus binary. With this mechanim, you should be able to hook into the web change and apply your customizations live. I plan on having a binary ready within the next few weeks.

    For now, I'd recommend setting up a cron job that periodically checks for changes to the tmp file and applies your iptable configs as necessary.

    Please let us know your progress in this thread because I'd like to do the same, but am busy with the firmware.

    - K.C.

  3. #3

    Findings & current set-up

    Hello,

    unfortunately I do not have much time to play with the device :-(. As I am also a self-learner in the area of linux, scripting, routing, etc. I no not have the patterns to do this right - therefore what I did was just applying "brute force" approach to make it do what I want - I am aware of the fact that it is not a "clean" solution and that it has some drawbacks, but...

    Findings (learned by experimeting and some reading - so reality may be different)

    - Any "apply" to any network configuration (including firewall) forces the box to reset configuration and restart some network services (eg. also gift, http, etc.)
    - To set the iptables, the scripts create config files in /tmp/ (filter_rules, nat_tules, nat_forward_rules) and probably use iptables-restore

    Current set-up:

    following script takes care of iptable check and setup:

    /opt/bin/netupdate
    Code:
    #!/opt/bin/bash
    
    if iptables -L INPUT | grep "ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh" &>/dev/null
            then
                    # logger `date` "iptables INPUT rule opening ssh found, assuming no change in network configuration"  
                    # this line should be uncommented if you want to see that nothing is happening in your syslog
            else
                    logger `date` "iptables INPUT does not contain rule for opening ssh, assuming reset of network configuration"
    
                    iptables -D INPUT -j DROP                               # Remove the default last rule to drop everything else
                                                                                      # Close the ftp from outside
                    iptables -A INPUT -p tcp --dport 22 -j ACCEPT           # Open port 22 (ssh)
    
                                                                            # Additional rules go here (transmission 9090, enh-ctr 2706)
    
                    iptables -A INPUT -j DROP                               # Close the hole and filter everything not matching rules
    
                    killall giftd                                           # Kill the giftd
    
                                                                            # Additional daemons (httpd, thttpd) can be killed here
            fi
    and /etc/crontab
    Code:
    SHELL=/bin/sh
    PATH=/opt/bin:/opt/sbin:/sbin:/bin:/usr/sbin:/apps/bin:/usr/bin
    MAILTO=""
    HOME=/
    # ---------- ---------- Default is Empty ---------- ---------- #
    # m h dom mon dow user command
    */10 * * * * root /opt/bin/netupdate

    Outstanding issues & possible conflicts:
    - if the box firewall is set to off (iptable INPUT clear, default ACCEPT), above configuration effectively blocks everything except ssh by seting the iptable rules
    - torrent performance (which is still very slow compared to utorrent) not better after opening ports on which the client listens :-( [thought it would help). transmission still way faster than enhanced-ctorrent, but 1/5 to utorrent (which may benefit from DHT?). Still it (transmissioncli) gets to 1/30 of the line capacity
    - GUI for torrent: not yet played with (why?), there is ctcs for enhanced-ctorrent and native client for transmission, both require some attention (eg. perl, which is not available). CTCS available in unstable ipkd resource
    Last edited by dolphine; 21-01-2007 at 08:07. Reason: Updated scripts to log through syslog

Similar Threads

  1. Iptables
    By byteZero in forum WL-500g Q&A
    Replies: 2
    Last Post: 07-11-2006, 20:23
  2. How to automatically start post-boot?
    By VaZso in forum WL-500g Q&A
    Replies: 8
    Last Post: 04-07-2006, 12:48
  3. WL-500gx WAN & LAN Filter example
    By pshah in forum WL-500g Q&A
    Replies: 1
    Last Post: 24-09-2005, 14:50
  4. How to configure Firewall/iptables
    By samoht in forum WL-500g/WL-500gx Tutorials
    Replies: 3
    Last Post: 14-08-2005, 02:28
  5. Trying to get IDE working on Oleg's Firmware
    By hugo in forum WL-HDD Custom Development
    Replies: 34
    Last Post: 01-11-2004, 19:06

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •