Re: [OpenWrt-Devel] IPTables/NAT

2015-07-11 Thread Lars Kruse
Hi John,

 I have to enable NAT with a MASQUERADING target,
 and to block the GUI from WAN have to server bind only the bridge address.
 Could anyone tell me how i can do it in the GUI itself.

You should probably ask this kind of questions on the openwrt-users mailing
list:
 https://lists.openwrt.org/cgi-bin/mailman/listinfo/


Anyway:
You should take a look at Administration - Networking - Firewall in the web
interface. There you will find everything for you task.
Additional information is to be found here:
 http://wiki.openwrt.org/doc/uci/firewall
(just read the introduction of each section - skip the long tables of options)

As far as I understand you goals, everything should be configured properly by
default.

Cheers,
Lars
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


[OpenWrt-Devel] IPTables/NAT

2015-07-09 Thread John kerry
Hi,

I have to enable NAT with a MASQUERADING target,
and to block the GUI from WAN have to server bind only the bridge address.
Could anyone tell me how i can do it in the GUI itself.

Thanks  Regards,
John
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


Re: [OpenWrt-Devel] IPtables/NAT

2015-07-05 Thread Florian Fainelli
Hi,

Le 5 juil. 2015 20:20, John kerry kerry9...@gmail.com a écrit :

 Hi ,

 Hope you are doing great. I am working on Atheros QSDK.

You might get better support by contacting whoever maintains this QSDK ad
it is an OpenWrt derivative, however as far as OpenWrt is concerned, see
below.

i am able to compile the source code successfully and able to upgrade the
firmware using openWRT Luci GUI too. The OpenWRT being a linux distro for
embedded platform already has IPtables implemented. Before compiling the
source code i have to do a make menuconfig and enable the netfilter module
in networking. This would enable IPtables and compile it. Is my
undersatnding correct?

By default, OpennWrt comes with iptables and netfilter enabled.


 Could you please guide me to write the Iptables rule. Basically i have to
write the rules for iptables/NAT for the following condition.
 Router mode with NAT and iptables, the web page access to be available
only to LAN (WiFi/Wired).
 I have one LAN and one WAN Connection, the LAN ip set to some static IP
to access the GUI.

All of this is done by default by OpenWrt provided that you keep the
default selection of packages. You may have to ask the build system to
include luci (web gui) to include it in the image creation.

A lot of this is covered in details on the wiki, of course, working with
QSDK instead of the mainline OpenWrt, your mileage may vary.
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


Re: [OpenWrt-Devel] IPtables/NAT

2015-07-05 Thread Alpha Sparc
Hi

Any changes required to QSDK to compile successfully?
 On Jul 6, 2015 11:21 AM, John kerry kerry9...@gmail.com wrote:

 Hi ,

 Hope you are doing great. I am working on Atheros QSDK. i am able to
 compile the source code successfully and able to upgrade the firmware using
 openWRT Luci GUI too. The OpenWRT being a linux distro for embedded
 platform already has IPtables implemented. Before compiling the source code
 i have to do a make menuconfig and enable the netfilter module in
 networking. This would enable IPtables and compile it. Is my undersatnding
 correct?

 Could you please guide me to write the Iptables rule. Basically i have to
 write the rules for iptables/NAT for the following condition.
 Router mode with NAT and iptables, the web page access to be available
 only to LAN (WiFi/Wired).
 I have one LAN and one WAN Connection, the LAN ip set to some static IP to
 access the GUI.

 Thanks  Regards,
 John

 ___
 openwrt-devel mailing list
 openwrt-devel@lists.openwrt.org
 https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


[OpenWrt-Devel] IPtables/NAT

2015-07-05 Thread John kerry
Hi ,

Hope you are doing great. I am working on Atheros QSDK. i am able to
compile the source code successfully and able to upgrade the firmware using
openWRT Luci GUI too. The OpenWRT being a linux distro for embedded
platform already has IPtables implemented. Before compiling the source code
i have to do a make menuconfig and enable the netfilter module in
networking. This would enable IPtables and compile it. Is my undersatnding
correct?

Could you please guide me to write the Iptables rule. Basically i have to
write the rules for iptables/NAT for the following condition.
Router mode with NAT and iptables, the web page access to be available only
to LAN (WiFi/Wired).
I have one LAN and one WAN Connection, the LAN ip set to some static IP to
access the GUI.

Thanks  Regards,
John
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


[OpenWrt-Devel] iptables NAT not being updated on WAN changes

2010-04-18 Thread Nuno Gonçalves
I have internet connections at eth0.2 and eth1.

Config is like this:

config interface wan
option ifname   eth1
option protodhcp

After boot connection is ok. Computers behind router get NATed internet.
Then I do ifdown wan, change eth1 to eth0.2 and ifup wan.
Computers start getting Destination port unreachable to ping
request. Inside the router I can ping the internet.

Rebooting (with eth1 or eth0.2 selected, doesn't care) brings NATed
connection back.
/etc/init.d/network restart doesn't.

r...@openwrt:/# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source   destination
ACCEPT all  --  anywhere anywherestate
RELATED,ESTABLISHED
ACCEPT all  --  anywhere anywhere
syn_flood  tcp  --  anywhere anywheretcp
flags:FIN,SYN,RST,ACK/SYN
input_rule  all  --  anywhere anywhere
input  all  --  anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source   destination
zone_wan_MSSFIX  all  --  anywhere anywhere
ACCEPT all  --  anywhere anywherestate
RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere anywhere
forwardall  --  anywhere anywhere
reject all  --  anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination
ACCEPT all  --  anywhere anywherestate
RELATED,ESTABLISHED
ACCEPT all  --  anywhere anywhere
output_rule  all  --  anywhere anywhere
output all  --  anywhere anywhere

Chain forward (1 references)
target prot opt source   destination
zone_lan_forward  all  --  anywhere anywhere
zone_wan_forward  all  --  anywhere anywhere

Chain forwarding_lan (1 references)
target prot opt source   destination

Chain forwarding_rule (1 references)
target prot opt source   destination

Chain forwarding_wan (1 references)
target prot opt source   destination

Chain input (1 references)
target prot opt source   destination
zone_lan   all  --  anywhere anywhere
zone_wan   all  --  anywhere anywhere

Chain input_lan (1 references)
target prot opt source   destination

Chain input_rule (1 references)
target prot opt source   destination

Chain input_wan (1 references)
target prot opt source   destination

Chain output (1 references)
target prot opt source   destination
zone_lan_ACCEPT  all  --  anywhere anywhere
zone_wan_ACCEPT  all  --  anywhere anywhere

Chain output_rule (1 references)
target prot opt source   destination

Chain reject (5 references)
target prot opt source   destination
REJECT tcp  --  anywhere anywhere
reject-with tcp-reset
REJECT all  --  anywhere anywhere
reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target prot opt source   destination
RETURN tcp  --  anywhere anywheretcp
flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP   all  --  anywhere anywhere

Chain zone_lan (1 references)
target prot opt source   destination
input_lan  all  --  anywhere anywhere
zone_lan_ACCEPT  all  --  anywhere anywhere

Chain zone_lan_ACCEPT (2 references)
target prot opt source   destination
ACCEPT all  --  anywhere anywhere
ACCEPT all  --  anywhere anywhere

Chain zone_lan_DROP (0 references)
target prot opt source   destination
DROP   all  --  anywhere anywhere
DROP   all  --  anywhere anywhere

Chain zone_lan_MSSFIX (0 references)
target prot opt source   destination
TCPMSS tcp  --  anywhere anywheretcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain zone_lan_REJECT (1 references)
target prot opt source   destination
reject all  --  anywhere anywhere
reject all  --  anywhere anywhere

Chain zone_lan_forward (1 references)
target prot opt source   destination
zone_wan_ACCEPT  all  --  anywhere anywhere
forwarding_lan  all  --  anywhere anywhere
zone_lan_REJECT  all  --  anywhere anywhere

Chain zone_wan (1 references)
target prot opt source   destination
ACCEPT udp  --  anywhere anywhereudp dpt:68
ACCEPT icmp --  anywhere anywhereicmp echo-request
input_wan  all  --  anywhere anywhere
zone_wan_REJECT  all  --  anywhere anywhere

Chain zone_wan_ACCEPT (2 references)
target prot opt source   destination
ACCEPT all 

Re: [OpenWrt-Devel] iptables NAT not being updated on WAN changes

2010-04-18 Thread Matthias Buecher / Germany
Also tried /etc/init.d/firewall restart after restarting the network?

Maddes

On 18.04.2010 16:38, Nuno Gonçalves wrote:
 I have internet connections at eth0.2 and eth1.
 
 Config is like this:
 
 config interface wan
 option ifname   eth1
 option protodhcp
 
 After boot connection is ok. Computers behind router get NATed internet.
 Then I do ifdown wan, change eth1 to eth0.2 and ifup wan.
 Computers start getting Destination port unreachable to ping
 request. Inside the router I can ping the internet.
 
 Rebooting (with eth1 or eth0.2 selected, doesn't care) brings NATed
 connection back.
 /etc/init.d/network restart doesn't.
 
 r...@openwrt:/# iptables -L
 Chain INPUT (policy ACCEPT)
 target prot opt source   destination
 ACCEPT all  --  anywhere anywherestate
 RELATED,ESTABLISHED
 ACCEPT all  --  anywhere anywhere
 syn_flood  tcp  --  anywhere anywheretcp
 flags:FIN,SYN,RST,ACK/SYN
 input_rule  all  --  anywhere anywhere
 input  all  --  anywhere anywhere
 
 Chain FORWARD (policy DROP)
 target prot opt source   destination
 zone_wan_MSSFIX  all  --  anywhere anywhere
 ACCEPT all  --  anywhere anywherestate
 RELATED,ESTABLISHED
 forwarding_rule  all  --  anywhere anywhere
 forwardall  --  anywhere anywhere
 reject all  --  anywhere anywhere
 
 Chain OUTPUT (policy ACCEPT)
 target prot opt source   destination
 ACCEPT all  --  anywhere anywherestate
 RELATED,ESTABLISHED
 ACCEPT all  --  anywhere anywhere
 output_rule  all  --  anywhere anywhere
 output all  --  anywhere anywhere
 
 Chain forward (1 references)
 target prot opt source   destination
 zone_lan_forward  all  --  anywhere anywhere
 zone_wan_forward  all  --  anywhere anywhere
 
 Chain forwarding_lan (1 references)
 target prot opt source   destination
 
 Chain forwarding_rule (1 references)
 target prot opt source   destination
 
 Chain forwarding_wan (1 references)
 target prot opt source   destination
 
 Chain input (1 references)
 target prot opt source   destination
 zone_lan   all  --  anywhere anywhere
 zone_wan   all  --  anywhere anywhere
 
 Chain input_lan (1 references)
 target prot opt source   destination
 
 Chain input_rule (1 references)
 target prot opt source   destination
 
 Chain input_wan (1 references)
 target prot opt source   destination
 
 Chain output (1 references)
 target prot opt source   destination
 zone_lan_ACCEPT  all  --  anywhere anywhere
 zone_wan_ACCEPT  all  --  anywhere anywhere
 
 Chain output_rule (1 references)
 target prot opt source   destination
 
 Chain reject (5 references)
 target prot opt source   destination
 REJECT tcp  --  anywhere anywhere
 reject-with tcp-reset
 REJECT all  --  anywhere anywhere
 reject-with icmp-port-unreachable
 
 Chain syn_flood (1 references)
 target prot opt source   destination
 RETURN tcp  --  anywhere anywheretcp
 flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
 DROP   all  --  anywhere anywhere
 
 Chain zone_lan (1 references)
 target prot opt source   destination
 input_lan  all  --  anywhere anywhere
 zone_lan_ACCEPT  all  --  anywhere anywhere
 
 Chain zone_lan_ACCEPT (2 references)
 target prot opt source   destination
 ACCEPT all  --  anywhere anywhere
 ACCEPT all  --  anywhere anywhere
 
 Chain zone_lan_DROP (0 references)
 target prot opt source   destination
 DROP   all  --  anywhere anywhere
 DROP   all  --  anywhere anywhere
 
 Chain zone_lan_MSSFIX (0 references)
 target prot opt source   destination
 TCPMSS tcp  --  anywhere anywheretcp
 flags:SYN,RST/SYN TCPMSS clamp to PMTU
 
 Chain zone_lan_REJECT (1 references)
 target prot opt source   destination
 reject all  --  anywhere anywhere
 reject all  --  anywhere anywhere
 
 Chain zone_lan_forward (1 references)
 target prot opt source   destination
 zone_wan_ACCEPT  all  --  anywhere anywhere
 forwarding_lan  all  --  anywhere anywhere
 zone_lan_REJECT  all  --  anywhere anywhere
 
 Chain zone_wan (1 references)
 target prot opt source   destination
 ACCEPT udp  --  anywhere anywhereudp dpt:68
 ACCEPT icmp --  anywhere

Re: [OpenWrt-Devel] iptables NAT not being updated on WAN changes

2010-04-18 Thread Matthias Buecher / Germany
You have to take care of it.

Maddes

On 18.04.2010 23:41, Nuno Gonçalves wrote:
 From: Matthias Buecher / Germany m...@maddes.net
 To: OpenWrt Development List openwrt-devel@lists.openwrt.org
 Subject: Re: [OpenWrt-Devel] iptables NAT not being updated on WAN
changes
 Message-ID: 4bcb1ad8.3000...@maddes.net
 Content-Type: text/plain; charset=UTF-8

 Also tried /etc/init.d/firewall restart after restarting the network?

 Maddes
 
 Restarting the firewall works. Is that something that I should do
 manually or just a bug?
 
 Regards

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel