Re: [OpenWrt-Users] firewall rules where the source zone is the router

Sat, 22 Dec 2012 16:02:28 -0800 

On Saturday, 2012-12-22 at 15:39:25 -0500, Brian J. Murrell wrote:
> I want to write firewall rules that allow the router to send traffic to
> specific hosts in the lan zone.  i.e. syslog to a syslog server.

> I can't seem to figure out what the "src" value for such a rule would
> be.

The address of the "lan" interface of your router, of course.

> Of course it's important that the output interface be included in
> addition to the destination address/port to ensure that packets
> are going to the correct network.

> Any hints, examples, etc.?

I apologize for the complexity of this. It was generated by fwbuilder
from an fwbuilder rule that contains a lot more that you need. And
fwbuilder uses chains a lot.

    $IPTABLES -N Cid44955C19.0
    $IPTABLES -A OUTPUT -o br-lan   -s 172.17.0.1   -d 172.17.0.0/24   -m state 
--state NEW  -j Cid44955C19.0
    $IPTABLES -A Cid44955C19.0 -p icmp  -m icmp  --icmp-type any  -j ACCEPT
    $IPTABLES -A Cid44955C19.0 -p tcp -m tcp  -m multiport  --dports 
9103,53,3493,25  -j ACCEPT
    $IPTABLES -A Cid44955C19.0 -p udp -m udp  -m multiport  --dports 
68,53,123,514  -j ACCEPT

This means:

    $IPTABLES -N Cid44955C19.0
create a new chain called Cid44955C19.0
    $IPTABLES -A OUTPUT -o br-lan   -s 172.17.0.1   -d 172.17.0.0/24   -m state 
--state NEW  -j Cid44955C19.0
send traffic from OpenWRT to the internal net to it
    $IPTABLES -A Cid44955C19.0 -p icmp  -m icmp  --icmp-type any  -j ACCEPT
allow any ICMP traffic
    $IPTABLES -A Cid44955C19.0 -p tcp -m tcp  -m multiport  --dports 53,25  -j 
ACCEPT
allow DNS over TCP and SMTP
    $IPTABLES -A Cid44955C19.0 -p udp -m udp  -m multiport  --dports 
68,53,123,514  -j ACCEPT
allow BootP, DNS over UDP, NTP, Syslog.
After this, the unmatched packets go back to the OUTPUT chain.

I guess for you, this might work:
$IPTABLES -A OUTPUT -o br-lan -s 172.17.0.1 -d 172.17.0.0/24 -m state --state 
NEW -p udp -m udp --dport 514 -j ACCEPT

Disclaimer: I don't know the iptables command too well, I use fwbuilder
for the heavy lifting.

So if somebody can correct the single line, above, please do.

Lupe Christoph
--
| It is a well-known fact in any organisation that, if you want a job    |
| done, you should give it to someone who is already very busy.          |
| Terry Pratchett, "Unseen Academicals"                                  |
_______________________________________________
openwrt-users mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-users

Reply via email to