Re: [OpenWrt-Devel] IPTables/NAT
Hi John, I have to enable NAT with a MASQUERADING target, and to block the GUI from WAN have to server bind only the bridge address. Could anyone tell me how i can do it in the GUI itself. You should probably ask this kind of questions on the openwrt-users mailing list: https://lists.openwrt.org/cgi-bin/mailman/listinfo/ Anyway: You should take a look at Administration - Networking - Firewall in the web interface. There you will find everything for you task. Additional information is to be found here: http://wiki.openwrt.org/doc/uci/firewall (just read the introduction of each section - skip the long tables of options) As far as I understand you goals, everything should be configured properly by default. Cheers, Lars ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] IPTables/NAT
Hi, I have to enable NAT with a MASQUERADING target, and to block the GUI from WAN have to server bind only the bridge address. Could anyone tell me how i can do it in the GUI itself. Thanks Regards, John ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] IPtables/NAT
Hi, Le 5 juil. 2015 20:20, John kerry kerry9...@gmail.com a écrit : Hi , Hope you are doing great. I am working on Atheros QSDK. You might get better support by contacting whoever maintains this QSDK ad it is an OpenWrt derivative, however as far as OpenWrt is concerned, see below. i am able to compile the source code successfully and able to upgrade the firmware using openWRT Luci GUI too. The OpenWRT being a linux distro for embedded platform already has IPtables implemented. Before compiling the source code i have to do a make menuconfig and enable the netfilter module in networking. This would enable IPtables and compile it. Is my undersatnding correct? By default, OpennWrt comes with iptables and netfilter enabled. Could you please guide me to write the Iptables rule. Basically i have to write the rules for iptables/NAT for the following condition. Router mode with NAT and iptables, the web page access to be available only to LAN (WiFi/Wired). I have one LAN and one WAN Connection, the LAN ip set to some static IP to access the GUI. All of this is done by default by OpenWrt provided that you keep the default selection of packages. You may have to ask the build system to include luci (web gui) to include it in the image creation. A lot of this is covered in details on the wiki, of course, working with QSDK instead of the mainline OpenWrt, your mileage may vary. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] IPtables/NAT
Hi Any changes required to QSDK to compile successfully? On Jul 6, 2015 11:21 AM, John kerry kerry9...@gmail.com wrote: Hi , Hope you are doing great. I am working on Atheros QSDK. i am able to compile the source code successfully and able to upgrade the firmware using openWRT Luci GUI too. The OpenWRT being a linux distro for embedded platform already has IPtables implemented. Before compiling the source code i have to do a make menuconfig and enable the netfilter module in networking. This would enable IPtables and compile it. Is my undersatnding correct? Could you please guide me to write the Iptables rule. Basically i have to write the rules for iptables/NAT for the following condition. Router mode with NAT and iptables, the web page access to be available only to LAN (WiFi/Wired). I have one LAN and one WAN Connection, the LAN ip set to some static IP to access the GUI. Thanks Regards, John ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] IPtables/NAT
Hi , Hope you are doing great. I am working on Atheros QSDK. i am able to compile the source code successfully and able to upgrade the firmware using openWRT Luci GUI too. The OpenWRT being a linux distro for embedded platform already has IPtables implemented. Before compiling the source code i have to do a make menuconfig and enable the netfilter module in networking. This would enable IPtables and compile it. Is my undersatnding correct? Could you please guide me to write the Iptables rule. Basically i have to write the rules for iptables/NAT for the following condition. Router mode with NAT and iptables, the web page access to be available only to LAN (WiFi/Wired). I have one LAN and one WAN Connection, the LAN ip set to some static IP to access the GUI. Thanks Regards, John ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] iptables NAT not being updated on WAN changes
I have internet connections at eth0.2 and eth1. Config is like this: config interface wan option ifname eth1 option protodhcp After boot connection is ok. Computers behind router get NATed internet. Then I do ifdown wan, change eth1 to eth0.2 and ifup wan. Computers start getting Destination port unreachable to ping request. Inside the router I can ping the internet. Rebooting (with eth1 or eth0.2 selected, doesn't care) brings NATed connection back. /etc/init.d/network restart doesn't. r...@openwrt:/# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywherestate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere syn_flood tcp -- anywhere anywheretcp flags:FIN,SYN,RST,ACK/SYN input_rule all -- anywhere anywhere input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination zone_wan_MSSFIX all -- anywhere anywhere ACCEPT all -- anywhere anywherestate RELATED,ESTABLISHED forwarding_rule all -- anywhere anywhere forwardall -- anywhere anywhere reject all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywherestate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere output_rule all -- anywhere anywhere output all -- anywhere anywhere Chain forward (1 references) target prot opt source destination zone_lan_forward all -- anywhere anywhere zone_wan_forward all -- anywhere anywhere Chain forwarding_lan (1 references) target prot opt source destination Chain forwarding_rule (1 references) target prot opt source destination Chain forwarding_wan (1 references) target prot opt source destination Chain input (1 references) target prot opt source destination zone_lan all -- anywhere anywhere zone_wan all -- anywhere anywhere Chain input_lan (1 references) target prot opt source destination Chain input_rule (1 references) target prot opt source destination Chain input_wan (1 references) target prot opt source destination Chain output (1 references) target prot opt source destination zone_lan_ACCEPT all -- anywhere anywhere zone_wan_ACCEPT all -- anywhere anywhere Chain output_rule (1 references) target prot opt source destination Chain reject (5 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain syn_flood (1 references) target prot opt source destination RETURN tcp -- anywhere anywheretcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 DROP all -- anywhere anywhere Chain zone_lan (1 references) target prot opt source destination input_lan all -- anywhere anywhere zone_lan_ACCEPT all -- anywhere anywhere Chain zone_lan_ACCEPT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain zone_lan_DROP (0 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere Chain zone_lan_MSSFIX (0 references) target prot opt source destination TCPMSS tcp -- anywhere anywheretcp flags:SYN,RST/SYN TCPMSS clamp to PMTU Chain zone_lan_REJECT (1 references) target prot opt source destination reject all -- anywhere anywhere reject all -- anywhere anywhere Chain zone_lan_forward (1 references) target prot opt source destination zone_wan_ACCEPT all -- anywhere anywhere forwarding_lan all -- anywhere anywhere zone_lan_REJECT all -- anywhere anywhere Chain zone_wan (1 references) target prot opt source destination ACCEPT udp -- anywhere anywhereudp dpt:68 ACCEPT icmp -- anywhere anywhereicmp echo-request input_wan all -- anywhere anywhere zone_wan_REJECT all -- anywhere anywhere Chain zone_wan_ACCEPT (2 references) target prot opt source destination ACCEPT all
Re: [OpenWrt-Devel] iptables NAT not being updated on WAN changes
Also tried /etc/init.d/firewall restart after restarting the network? Maddes On 18.04.2010 16:38, Nuno Gonçalves wrote: I have internet connections at eth0.2 and eth1. Config is like this: config interface wan option ifname eth1 option protodhcp After boot connection is ok. Computers behind router get NATed internet. Then I do ifdown wan, change eth1 to eth0.2 and ifup wan. Computers start getting Destination port unreachable to ping request. Inside the router I can ping the internet. Rebooting (with eth1 or eth0.2 selected, doesn't care) brings NATed connection back. /etc/init.d/network restart doesn't. r...@openwrt:/# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywherestate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere syn_flood tcp -- anywhere anywheretcp flags:FIN,SYN,RST,ACK/SYN input_rule all -- anywhere anywhere input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination zone_wan_MSSFIX all -- anywhere anywhere ACCEPT all -- anywhere anywherestate RELATED,ESTABLISHED forwarding_rule all -- anywhere anywhere forwardall -- anywhere anywhere reject all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywherestate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere output_rule all -- anywhere anywhere output all -- anywhere anywhere Chain forward (1 references) target prot opt source destination zone_lan_forward all -- anywhere anywhere zone_wan_forward all -- anywhere anywhere Chain forwarding_lan (1 references) target prot opt source destination Chain forwarding_rule (1 references) target prot opt source destination Chain forwarding_wan (1 references) target prot opt source destination Chain input (1 references) target prot opt source destination zone_lan all -- anywhere anywhere zone_wan all -- anywhere anywhere Chain input_lan (1 references) target prot opt source destination Chain input_rule (1 references) target prot opt source destination Chain input_wan (1 references) target prot opt source destination Chain output (1 references) target prot opt source destination zone_lan_ACCEPT all -- anywhere anywhere zone_wan_ACCEPT all -- anywhere anywhere Chain output_rule (1 references) target prot opt source destination Chain reject (5 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain syn_flood (1 references) target prot opt source destination RETURN tcp -- anywhere anywheretcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 DROP all -- anywhere anywhere Chain zone_lan (1 references) target prot opt source destination input_lan all -- anywhere anywhere zone_lan_ACCEPT all -- anywhere anywhere Chain zone_lan_ACCEPT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain zone_lan_DROP (0 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere Chain zone_lan_MSSFIX (0 references) target prot opt source destination TCPMSS tcp -- anywhere anywheretcp flags:SYN,RST/SYN TCPMSS clamp to PMTU Chain zone_lan_REJECT (1 references) target prot opt source destination reject all -- anywhere anywhere reject all -- anywhere anywhere Chain zone_lan_forward (1 references) target prot opt source destination zone_wan_ACCEPT all -- anywhere anywhere forwarding_lan all -- anywhere anywhere zone_lan_REJECT all -- anywhere anywhere Chain zone_wan (1 references) target prot opt source destination ACCEPT udp -- anywhere anywhereudp dpt:68 ACCEPT icmp -- anywhere
Re: [OpenWrt-Devel] iptables NAT not being updated on WAN changes
You have to take care of it. Maddes On 18.04.2010 23:41, Nuno Gonçalves wrote: From: Matthias Buecher / Germany m...@maddes.net To: OpenWrt Development List openwrt-devel@lists.openwrt.org Subject: Re: [OpenWrt-Devel] iptables NAT not being updated on WAN changes Message-ID: 4bcb1ad8.3000...@maddes.net Content-Type: text/plain; charset=UTF-8 Also tried /etc/init.d/firewall restart after restarting the network? Maddes Restarting the firewall works. Is that something that I should do manually or just a bug? Regards ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel