OpenWrtDocs/Configuration - OpenWrt

iptables - brandväggen kan behöva konfigureras för högre säkerhet. Utan iptables konfigurerad medger OpenWRT trafik genom NAT.

OpenWrtDocs/Configuration - OpenWrt: "

5.5. iptables - Firewall

The rules and some small samples for your firewall can be found in /etc/firewall.user. For RC5 and earlier if you want to make changes to this file you have to remove it first since it is actually a symlink to /rom/etc/firewall.user, see the section Editing files in OpenWrtDocs/Using.

Be sure to read the notes about the firewall rules before changing anything. The important thing to note is that if you setup port forwarding, you won't be able to see the changes inside the router's LAN. You will have to access the router from outside to verify the setup.

As of RC9 the file /etc/firewall.user reads

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
# The following chains are for traffic directed at the IP of the
# WAN interface
iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan
### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
# iptables -A input_wan -p tcp --dport 22 -j ACCEPT
### Port forwarding ## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
# iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
###DMZ ## -- Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
# iptables -A forwarding_wan -d 192.168.1.2 -j ACCEPT

The first section, Open port to WAN shows an example of opening a port for your router running OpenWRT to listen to and accept. In the case given, it will open up port 22 and accept connections using dropbear (the SSH server). Just delete the # sign in front of the two rules to enable access.

If you wanted to open up any other ports for the router to listen to, just copy those two lines and change just the port number from 22 to something else.

The second section, Port forwarding is for accepting incoming connections from the WAN (outside the router) and sending the requests to a networked device on your LAN (inside your router).

Before setting up any port forwarding, you'll have to install some OpenWRT packages first, such as iptables-nat and ip (any others?).

In the example provided, if someone on the Internet were to connect to your router on port 8080, it would forward them to port 80 on whatever computer / device had the IP address of 192.168.1.2.

If you are running a webserver on that address, and want to listen on port 80 instead, change the 8080 on the first line.

The same is true for any other ports you'd want to forward to your LAN. Just follow the example as a guide.

The last section, DMZ is sending all connections to a port not specified in the rules above to a certain IP address. If you do decide to use this, it would be a good idea to have a firewall managing the ports on the destination. The DMZ can be considered a simple way to let another computer handle the firewall rules, if you don't want to configure them on OpenWRT and at the same time you want to send all connections to one device.

Once you're finished making changes to your firewall, restart it by running the init script:

/etc/init.d/S45firewall restart

Remember to test the changes outside your LAN! Finally, if you wish to dig deeper into how iptables work under the rule/chain structure of OpenWRT, see OpenWrtDocs/IPTables
"