Настройка firewall dd wrt
Iptables is a powerful administration tool for IPv4 packet filtering and NAT. It is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.
Iptables commands can be entered by command line interface, and/or saved as a Firewall script in the dd-wrt Administration panel. I tend to recommend testing and confirming your rules at the command line first. This way, if you happen to make a big mistake (like blocking access to the router), simply rebooting the router should repair it rather than having to do a hard reset. To get your rules to survive a reboot of the router, save them in a Firewall script as mentioned earlier.
I think we should have something about Firewall Builder on this page, since they're kind of related.
[edit] Firewall Forwarded Ports
If you have enabled SPI firewall feature on DD-WRT, your router is pretty much protected. However one practical use of iptables is protecting certain ports forwarded to internal IP addresses. The simplest way to do this is:
- Create port forwarding to internal IP addresses using the DD-WRT "Port Forwarding" web interface
- Supplement those rules with custom iptables on the Firewall script found under Administration - Commands interface to restrict which hosts can access the ports involved
[edit] Logging
You can consider turning on logging temporarily for any of your rules. This is useful if you're testing new setup to confirm that the rules are doing what you intend to block or allow. First enable logging via the web UI at Security - Firewall tab. Then substitute the jump target or "-j" to a logging target for each of your iptables rule:
- DROP with logdrop
- REJECT with logreject
- ACCEPT with logaccept
Example if you wanted to check and confirm if traffic forwarded to port 21 is correctly dropped you would substitute:
Logged data can be viewed on the web UI on the same page or on the command prompt in the file "/var/log/messages"
[edit] Statefull firewall
The better ip firewall - a statefull firewall - can pass packet by packet - and if possible (e.g. tcp and udp) track the connection. A statefull firewall can additionally moderate trackable traffic by:
- number of connections per (src/dst) ip address
- number of connections per interface
- number of connections attempt - "SYN"-attacks, packet storms
Contents
[edit] Tables, Chains, and Targets
[edit] Tables
The main tables we are concerned with are the "filter" table and the "nat" table. To list the contents of either table, do
The filter table is default and this includes chains like INPUT, OUTPUT, and FORWARD. The nat table is for Network Address Translation and it includes the PREROUTING and POSTROUTING chains.
[edit] Chains
INPUT is for packets destined to or entering the router's local sockets.
OUTPUT is for packets sourced from or leaving the router's local sockets.
FORWARD is for packets being forwarded through the router (e.g. packets not necessarily destined for local sockets).
PREROUTING is for manipulating packets before they are routed.
POSTROUTING is for manipulating packets after they are routed.
[edit] Targets
ACCEPT - packets are accepted/allowed
DROP - packets are dropped/denied (Router does NOT send a response back)
REJECT - packets are rejected/denied (Router DOES send a response back)
logaccept - packets are accepted and logged to /tmp/var/log/messages
logdrop - packets are dropped and logged to /tmp/var/log/messages
logreject - packets are rejected and logged to /tmp/var/log/messages
DNAT is for altering packet's destination address.
SNAT is for altering packet's source address.
TRIGGER - dynamically redirect input ports based on output traffic (aka port triggering)
[edit] TRIGGER Target Options
The trigger target has additional options which must appear immediately after it on the command line
Contents
[edit] DD-WRT firewall - iptables
DD-WRT has a packet filtering firewall, statefull firewall, NAT and proxy functionality.
The default internal device network has two networks (non-802.11n example!):
- vlan0(built-in hardware switch) software-bridged with eth1(wireless access point) - LAN private ip subnet 192.168.1.0/24 and ip configurations are leased to clients by a DHCP server.
- vlan1 - WAN with some ip configuration normally acquired via a DHCP client.
There is a default ip firewall with NAT between vlan0 and vlan1 (on non-802.11n) network devices.
The purpose of the firewall is to moderate traffic and/or log it. Most firewall are made for moderating ip traffic and are called ip firewalls.
The simplest ip firewall has two physical interfaces normally referred to as inside (LAN) and outside (WAN, the internet). It has two main access control lists (ACL) - e.g. named inside2outside and outside2inside.
Contents
[edit] Statefull firewall
The better ip firewall - a statefull firewall - can pass packet by packet - and if possible (e.g. tcp and udp) track the connection. A statefull firewall can additionally moderate trackable traffic by:
- number of connections per (src/dst) ip address
- number of connections per interface
- number of connections attempt - "SYN"-attacks, packet storms
[edit] Firewall blocks DHCP renewal responses
The default configuration of the firewall blocks DHCP renewal responses which causes the router's DHCP client to request a new IP and for current connections to be dropped whether the address changes or not. ~phuzi0n Use this command to fix it. Replace ACCEPT with logaccept to verify it is functioning.
[edit] Packet filter firewall
The simplest ip firewall - a packet filter firewall - can pass packet by packet or drop them based on:
- source ip address
- destination ip address
- If tcp or udp:
- source tcp/udp port
- destination tcp/udp port
[edit] Firewall difficult protocols
Some protocols can in-line signal a port jump and/or create connections one or both ways "at will". A firewall that can moderate that kind of traffic, need to inspect the traffic stream. To do that a firewall must have transparent proxies and are then called an application firewall.
- FTP passive
- FTP active - if you enable proxy support for active FTP, you firewall can be "punctured" from the internet and is therefore almost useless.
- Media streams (Media Player, iTunes. ):
- RTSP
- Realmedia
- Conferencing
- VoIP, IP telephony:
- H323
- SIP
[edit] Firewall difficult protocols
Some protocols can in-line signal a port jump and/or create connections one or both ways "at will". A firewall that can moderate that kind of traffic, need to inspect the traffic stream. To do that a firewall must have transparent proxies and are then called an application firewall.
- FTP passive
- FTP active - if you enable proxy support for active FTP, you firewall can be "punctured" from the internet and is therefore almost useless.
- Media streams (Media Player, iTunes. ):
- RTSP
- Realmedia
- Conferencing
- VoIP, IP telephony:
- H323
- SIP
[edit] Firewall difficult protocols
Some protocols can in-line signal a port jump and/or create connections one or both ways "at will". A firewall that can moderate that kind of traffic, need to inspect the traffic stream. To do that a firewall must have transparent proxies and are then called an application firewall.
- FTP passive
- FTP active - if you enable proxy support for active FTP, you firewall can be "punctured" from the internet and is therefore almost useless.
- Media streams (Media Player, iTunes. ):
- RTSP
- Realmedia
- Conferencing
- VoIP, IP telephony:
- H323
- SIP
[edit] Commands
[edit] Packet filter firewall
The simplest ip firewall - a packet filter firewall - can pass packet by packet or drop them based on:
- source ip address
- destination ip address
- If tcp or udp:
- source tcp/udp port
- destination tcp/udp port
[edit] Examples
I think examples are the best way to demonstrate the use of iptables. (Take note, chains are to be typed in caps as shown!)
[edit] Listing the rules in a chain
First I want to view the rules on my INPUT chain, this is the first chain traffic coming into my router will hit.
You will find that it is really slow to list all many rules after you enter the above iptables command since it is doing reverse DNS lookups to convert IP addresses to host names. You can add -n option to only see numerical addresses. Note: '0.0.0.0/0' = 'anywhere' (any IP address), and '0' prot = 'any' protocol.
To get a more detailed list with actual IP numbers and packet counts for each rule do this.
Please always use -vnL when troubleshooting, especially if you're asking for help on the forums. Anything less hides valuable information and are only explained on this page for reference.
Suppose I might want to add a rule so that I can ssh into my router from a specific host/address outside. Then I might type the following:
So I am saying: Append to the INPUT chain a rule allowing protocol tcp, with a source address of 123.45.67.89 traffic destined for port 22 on my router, jump to logaccept. I could have used -j ACCEPT which simply jumps to ACCEPT, but in this case I want to log it just to keep track so I use logaccept, which is a chain we have set up for this purpose.
Note: Simply adding a rule to the INPUT chain may be enough to allow remote SSH access from the WAN. However, if your router is still in NAT/Gateway mode and you wish to remap the SSH port to something less traditional on the WAN side (say port 2222), you may Insert a PREROUTING rule instead. This is actually how the GUI does it when you enable remote WAN SSH management.
I see my shiny new rule appended to the INPUT chain. However, this is no good because in my case I have a rule blocking this traffic which occurs BEFORE the rule allowing it.
How do I change it? Simple.
First let's delete the rule we just made
will list the rules with their rule numbers. Let's say our rule is number 11
Clearly this Deletes rule number 11 from the input chain.
Now instead of Appending I am going to Insert my rule into the number 1 (by default) position.
So now rule number 1 is my new rule and the other rules have all shifted down a position.
If I wanted to change the IP address or any other aspect of my ssh rule I could use the -R (Replace) option for a specific rule number, and simply type in the new rule, i.e.
This would replace rule number 1 on the INPUT chain with the new rule which has a new source IP address and jumps to ACCEPT instead of logaccept.
One more example: I want to run a mini web server on my router. Let's assume that it is already running on port 8000 and I can access it from the LAN side, but not from the WAN side. With
the port 8000 will be opened. But I also have to setup NAT PREROUTING, so that the kernel forwards all packets on port 8000 from the outside to itself, 192.168.1.1:
[edit] Port Forwarding to a specific LAN IP
Port Forwarding can be accomplished from within the web interface here. However, the very same thing can be done a bit differently (tested and working), via command line. --u3gyxap: Example with port 443 and IP 192.168.1.2
If you want to restrict the source IP (a question that is asked a lot on the forums), add -s 123.45.67.89 to one of your rules (replacing the IP address with the real one of course).
This should make it so only one IP address is able to access your forwarded port from the Internet.
In order for me to get this to work (v.24) I needed to put the "-s 123.45.67.89" in the "iptables -I FORWARD" command also - When it was in the PREROUTING command only I was still able to access the internal resource from any IP address!
[edit] Deny access to a specific IP address
Which would DROP all packets destined to the given IP. Useful to block access to whatnot. If you want to log the entry when the IP is blocked you would set the jump location to logdrop, instead of DROP.
[edit] Deny access to a specific Subnet
[edit] Deny access to a specific IP address range with Logging
Many builds do not have the iprange match but you can use clever subnet masks to accomplish something similar as well, if the range aligns well on subnet boundaries. You may also be able to download a version of iptables that includes the iprange match via Optware.
[edit] Deny access to a specific Outbound IP address with logging
This becomes useful if there is a program that wants to gain an outbound connection to a specific address, but you don't want to allow the connection. In this specific example Windows uses this IP incorrectly as a broadcast address (search Google for more info). While viewing your router logs you will see Windows broadcast to this IP several times per minute. By default the router passes the broadcast and announces to everyone outside of your router that your PC exists. This rule will block traffic to this specific outbound IP and add an entry into the router log.
edit: There is nothing incorrect about this. This is the service announcement/discovery multicast address used by SSDP. This is required to discover uPnP based devices in your network. If you drop these, your DLNA media servers, ushare, minidlna, PS3s, Xbox's etc will not see each other if they are across subnets. These packets have a TTL of 4, so won't get too far out of your network. 239.x.x.x is private IPv4 multicast range, so ISPs would drop this at their ingress points.
[edit] Block SMTP traffic except to specified hosts
Simple Mail Transfer Protocol operates on tcp port 25.
[edit] Block outgoing SMTP traffic except from specified hosts
Simple Mail Transfer Protocol operates on tcp port 25.
Which would accept outgoing SMTP traffic from your internal SMTP server (192.168.1.2) but reject outgoing SMTP traffic from all other hosts on your LAN (192.168.1.1/24). Useful to enforce all your LAN clients to use your internal SMTP server, as well as to block any viruses and spam-generating trojans from sending mail to remote servers on their own.
Change "REJECT" to "logdrop" or "ACCEPT" to "logaccept" to add logging.
Caution! This will also block internal users from using your external IP as their SMTP server.
Similarly, we can use the above method to filter other ports and protocols as well, such as standard web traffic operating on tcp port 80.
This example blocks everything except our normal web traffic, encrypted (ssl), and the file transfer protocol.
Caution! Users are still able to get through the firewall if they are sly enough to use these permitted port numbers for their P2P or other application. In that case, you should consider using Access Restrictions to mitigate the possibility of that happening.
[edit] Reject clients from accessing the router's configuration
Tip: If you disable management from the LAN, be sure to enable remote management on the WAN (or vice versa) or you will probably lock yourself out of the router.
[edit] Restrict access by MAC address
In this example, we will demonstrate how to restrict access to the router's web interface by MAC address. In other words, only the computer having the specified MAC address should be able to access the web interface from the LAN.
First, if there are no Access Restrictions policies enabled and filtering by MAC addresses, you may need to insert the iptables mac module manually:
Notice the ! (bang) which is another new concept introduced here. It means "NOT". So, by inspecting the rule closely, we see that it will REJECT packets destined to port 80 of the router so long as they do NOT originate from our computer with the desired MAC address.
Caution! As usual when dealing with MAC addresses, be aware that it is possible for malicious user(s) to spoof their MAC address with that of a trusted machine. You can help combat this by use of static ARP entries, VLANs, etc.
[edit] Modifying the TTL
The Time To Live is the maximum number of routers a packet will travel through before it is discarded. In certain situations, it may prove useful to increase it (typically) in order to make your network more reliable.
- Example 1: Set the incoming TTL to 10, before the router routes it into the LAN
- Example 2: Set the outgoing TTL to 128, just as if a Windows machine was connected directly to the modem.
- Example 3: Try to hide the fact that you are using a tethered phone as WAN:
- Example 4: Try to hide the fact that an outgoing packet was routed, by incrementing the TTL by one.
[edit] Packet filter firewall
The simplest ip firewall - a packet filter firewall - can pass packet by packet or drop them based on:
- source ip address
- destination ip address
- If tcp or udp:
- source tcp/udp port
- destination tcp/udp port
[edit] Firewall Rule Examples
You may first want to limit your ssh port to script kiddies, and prevent brute force attack. Thus you can limit the number of NEW ssh connections to about 3 attempts per minute. Any further attempts to crack the ssh port will be dropped:
FTP access can also be limited to a certain network or network range in the following manner:
You can of course combine both, rate limit and IP addresses limiting. This following example limits ssh connection from 207.171.160.0/19 with the same rate limit applied, along with the FTP rules all on the same script:
For multiport INPUT (or FORWARD if you choose) rate limiting, the following syntax rules can be esstablshed:To verify that the rules are working, open a terminal session and type iptables -vnL | more
You may examine these rules on the router at anytime by accessing the router's command prompt and running the command "iptables -vnL"
Contents
[edit] DD-WRT firewall - iptables
DD-WRT has a packet filtering firewall, statefull firewall, NAT and proxy functionality.
The default internal device network has two networks (non-802.11n example!):
- vlan0(built-in hardware switch) software-bridged with eth1(wireless access point) - LAN private ip subnet 192.168.1.0/24 and ip configurations are leased to clients by a DHCP server.
- vlan1 - WAN with some ip configuration normally acquired via a DHCP client.
There is a default ip firewall with NAT between vlan0 and vlan1 (on non-802.11n) network devices.
The purpose of the firewall is to moderate traffic and/or log it. Most firewall are made for moderating ip traffic and are called ip firewalls.
The simplest ip firewall has two physical interfaces normally referred to as inside (LAN) and outside (WAN, the internet). It has two main access control lists (ACL) - e.g. named inside2outside and outside2inside.
[edit] Caution
Adding iptables commands to your startup routine risks locking yourself out of the box with no option but to start over. If you are experimenting with new commands, you can insure yourself against this scenario by inserting a sleep command before the iptables command(s). This way you can grant yourself, say five minutes (sleep 300), before your commands take effect. If your commands do backfire and you are unable to log in to your box, simply restart it by switching it off and on again and you will have five minutes to get in.
An other way is to try the command with ssh (or GUI Command shell then click "Run command"*): if your command doesn't touch nvram it won't survive a reboot, but it will allow an immediate addition/insertion of the new firewall rule for test. Check it immediately with
and see if it works as you think it would.
* Caution! In the GUI, echo $? always returns 0 whether the command succeeded or failed.
The purpose of the firewall is to moderate traffic and/or log it. Most firewall are made for moderating ip traffic and are called ip firewalls.
The simplest ip firewall has two physical interfaces normally referred to as inside (LAN) and outside (WAN, the internet). It has two main access control lists (ACL) - e.g. named inside2outside and outside2inside.
[edit] NAT - Network address Translation
Due to IPv4 address shortage, the internet society began to use NAT, and therefore the firewall also need to be NAT aware.
[edit] NAT incompatible protocols
A real problem with NAT is when more than one inside clients (e.g. C1, C2) connect to the same outside server ip address (S) and the traffic is not tcp and udp. When a response outside packet later arrives at the NAT device (firewall), it can not deduce which client to send it to. Here are examples of protocols that has that problem:
Even if the traffic is unencrypted it can not be deduced where to NAT a response outside packet, if more than one inside client uses the same protocol to the same outside ip address. UDP and TCP are special because they have 65536 possible src and dst ports that can help connection tracking.
[edit] NAT - Network address Translation
Due to IPv4 address shortage, the internet society began to use NAT, and therefore the firewall also need to be NAT aware.
[edit] NAT incompatible protocols
A real problem with NAT is when more than one inside clients (e.g. C1, C2) connect to the same outside server ip address (S) and the traffic is not tcp and udp. When a response outside packet later arrives at the NAT device (firewall), it can not deduce which client to send it to. Here are examples of protocols that has that problem:
Even if the traffic is unencrypted it can not be deduced where to NAT a response outside packet, if more than one inside client uses the same protocol to the same outside ip address. UDP and TCP are special because they have 65536 possible src and dst ports that can help connection tracking.
[edit] Options
[edit] NAT - Network address Translation
Due to IPv4 address shortage, the internet society began to use NAT, and therefore the firewall also need to be NAT aware.
[edit] NAT incompatible protocols
A real problem with NAT is when more than one inside clients (e.g. C1, C2) connect to the same outside server ip address (S) and the traffic is not tcp and udp. When a response outside packet later arrives at the NAT device (firewall), it can not deduce which client to send it to. Here are examples of protocols that has that problem:
Even if the traffic is unencrypted it can not be deduced where to NAT a response outside packet, if more than one inside client uses the same protocol to the same outside ip address. UDP and TCP are special because they have 65536 possible src and dst ports that can help connection tracking.
[edit] DD-WRT firewall - iptables
DD-WRT has a packet filtering firewall, statefull firewall, NAT and proxy functionality.
The default internal device network has two networks (non-802.11n example!):
- vlan0(built-in hardware switch) software-bridged with eth1(wireless access point) - LAN private ip subnet 192.168.1.0/24 and ip configurations are leased to clients by a DHCP server.
- vlan1 - WAN with some ip configuration normally acquired via a DHCP client.
There is a default ip firewall with NAT between vlan0 and vlan1 (on non-802.11n) network devices.
Когда-то давно когда я впервые поставил dd-wrt на свой роутер (Dlink dir-615), я просто подумал что это прошивка ну как бы просто «еще одна прошивка» для тех кто недоволен стандартной от производителя роутера, однако подключившись по telnet к роутеру я увидел самый что не на есть Linux.
В статье ни будет ни слова о том как прошить роутер. Это делается весьма индивидуально для каждой модели роутера. Зато будет то как настроить на нем 2 точки доступа и в целом оптимизировать, а также создавать туннели между такими роутерами.
Просто Linux
Сходив по телнету на роутер можно увидеть самый обычный Linux. Ну так как в комплекте Linux то наверняка есть:
— Фаервол Iptables
— поддержка ip_conntrack
— утилиты из iproute2.Также наверняка есть дополнительные утилиты:
— brctl (для управления мостами)
— ping, telnet, ssh, mount и все что полагается иметь обычному сетевому маршрутизатору на LinuxДве точки доступа или как осчастливить соседей
Когда я увидел что в настройках Wi-Fi есть возможность создать еще одну точку доступа, я как бы удивился. Оказывается почти все чипы Wi-Fi это умеют, только добрые дяди из $vendor обычно такой функционал считают лишним для домохозяек (а много ли домохозяек настраивают роутеры).
Постепенно разбираясь во всем я решил обеспечить всей улице (у роутера 2 антенны и очень неплохая мощьность) бесплатный интернет, передо мной стало 2 проблемы (решение которых я и опишу далее):
1. Как обеспечить моей домашней сети безопасность путем отрезания доступа в нее с бесплатной точки доступа.
2. Как порезать скорость, чтобы добрые соседи не поедали мой канал.Ну решение первого прозрачно, фаервол. Но как, что и где не понятно. Второе же тоже понятно, раз есть iproute2 есть и tc, а он может… да чего он только не может.
Создаем точку (Конфигурация интерфейса)
создаем вторую точку доступа и называем ее как нибудь
Открываем дополнительные параметры, и устанавливаем «Конфигурация Сети: Не в мосте», «Многоадресные потоки: Отключить», «Masquerade/NAT: Отключить». И вибираем ip адрес для этого виртуального интерфейса, я выбрал маленькую сеть на 16 ip адресов.
Далее надо убедиться что отключено шифрование на этой точке.
Комманды
Переходим к командному блоку.
Настройка sysctl
Сначала предлагаю настроить sysctl, так как самой утилиты sysctl нет в комплекте, то настроим через proc
фаервол iptables
Ниже приведу команды своего фаервола, думаю кому-то будет интересно что зачем, поэтому команды комментируются.
Так, вроде все готово, теперь о том как клиенты свободной точки будут получать IP. DHCP конечно, только вот нужен второй DHCP сервер, и он есть из коробки.
Туннели
Итак теперь представьте ситуацию. У вас есть 2 офиса, в них… стоп. Все проще, у вас есть друг с dd-wrt, также у вас есть банальное желание поиграть с ним… ну скажем в queke II coop. У друга один провайдер а у вас другой. Ну казалось бы ответ очевиден, Hamachi или всякое-там разное проприетарное. Отличное решение обычной проблемы. а теперь представим что всетаки есть 2 офиса, и коннект должен быть 24*7*365 и мало того там есть всякие принтеры, пусть даже корпоративный прокси. Cisco, скажете вы, дороговато, скажу я.
Обратим внимание на 2 скрипта приведенные в файерволе, да это туннелирование gre или ethernet over ip (протокол etherip поддерживаемый freebsd cisco но почему-то не поддерживаемый в Linux). Логика создания туннеля такова.Есть 2 устройства alpha и beta, на устройстве alpha lan подсеть 192.168.2.0/24, на устройстве beta 192.168.3.0/24. На устройстве alpha wan IP al.p.h.a на beta b.e.t.a. На alpha создается интерфейс 10.0.0.1/30 на beta 10.0.0.2/30 и 2 маршрута.
ALPHA
/opt/etherip.sh beta b.e.t.a 10.0.0.1/30
route add -net 192.168.3.0/24 gw 10.0.0.2BETA
/opt/etherip.sh alpha al.p.h.a 10.0.0.2/30
route add -net 192.168.2.0/24 gw 10.0.0.1Общая логика такова. Так к чему я про друга с quake II, лучше попробуйте с ним. Не надо экспериментов в production.
Что дальше?
К сожалению у меня сейчас потерян коннект с роутером dir-320 в который были воткнуты 3 провайдра. Дело в том, что на dir-320 мало того что есть usb и туда можно поставить какой нибудь nginx+postgresql+python+django, так у него внутри умный свитч, а это значит что там создается 3 интерфейса в портах lan, а порт wan включается в конторский свитч. В итоге балансировка, отказоустойчивость, wi-fi, firewall, банилка «xxxxклассников».
Эта контора звонила мне год назад, сказали что к ним пришел специалист и что он спрашивает пароль на роутер, утверждая что я перепутал порты WAN и LAN, я спросил «А у вас все работает?», они ответили утвердительно, тогда я спросил зачем от туда лезет и они внятно мне не объяснили, я сказал «Я дам вам пароль но если этот мастер что нибудь сломает, то я к вам не поеду, а если и поеду то проделаю все работу заново, а это стоит столько же», в общем пароль им не пригодился, год уже не звонят. Бог знает может уже развалились, а может ip сменился, но доступа сейчас нет.Вообще возможности dd-wrt мне напоминают cisco. В том смысле что если уж reboot не помог, то что-то сломалось не в этой железке.
Все команды я попытался завязать на nwram роутеров, чтобы разные модели работали одинаково. Единственная разница это имя wi-fi адаптера может быть другим. Ну тогда заменяем все ath на имя вашего адаптера в командах.
[edit] Basic Usage
[edit] Port Forward Example
The current port forwarded setup via the web GUI will be used as the basis to illustrate some examples:
- Application: ssh Port: 4022 Protocol: TCP forward to IP address: 192.168.1.5 Port: 22
- Application: ftp Port: 21 Protocol: TCP forward to IP address: 192.168.1.6 Port: 21
The example here port forwards external IP on port 4022 to internal server 192.168.1.5:22 for ssh and external port 21 to internal server 192.168.1.6:21 for ftp.
[edit] Interfaces
When using the -i or -o to define the physical interfaces, remember that by default:
vlan0 is the 4 LAN ports (K24 Only)
vlan1 is the WAN port (K24 Only) or the 4 LAN ports (K26 and K3.x) (ppp0 is the WAN interface when PPPoE is used)
vlan2 is the WAN port (K26 and K3.x)
eth1 is the WIFI
eth2-3 is the WIFI (Dual Radio routers)
br0 is a bridge connecting the 4 LAN and the WIFI togetherTip: To list the network interfaces on the router use 'ifconfig' on the command line.
[edit] Statefull firewall
The better ip firewall - a statefull firewall - can pass packet by packet - and if possible (e.g. tcp and udp) track the connection. A statefull firewall can additionally moderate trackable traffic by:
- number of connections per (src/dst) ip address
- number of connections per interface
- number of connections attempt - "SYN"-attacks, packet storms
Читайте также: