Some small iptables on OpenWrt tips

I have noticed a lot of people have issues with iptables on openwrt, so I have gathered a few tips that I've used myself.

All the examples should be put in the file /etc/iptables.user on your openWrt router, and you should restart iptables every time you insert a rule with this command /etc/init.d/firewall restart.

Blocking a single IP address

This will block an IP address completely, ie. no connections to or from that ip address will be allowed.

iptables -A input_wan -s 217.195.182.35 --jump REJECT
iptables -A forwarding_rule -d 217.195.182.35 --jump REJECT

Blocking a port range

This will reject any outgoing connections to the internet, in the portrange you specify.

In this example, the port range is 6000-60000, and only TCP connections is blocked.

iptables -A forwarding_rule -p tcp --dport 6000:60000 --jump REJECT

Allowing connections on a port on the router from the internet

This could be useful if you are running transmission on openwrt for instance.

Let's say you're running a service on port 4000. You could enable internet connectivity like this:

iptables -t nat -A prerouting_wan -p tcp --dport 4000 -j ACCEPT
iptables        -A input_wan      -p tcp --dport 4000 -j ACCEPT

Forwarding a port to a computer on the LAN

This is useful if you are hosting your own webserver, for instance. In the example, every request to port 80 from the internet will be forwarded to 192.168.1.126.

Please note that this will not work if you are running a webserver on port 80 on the router.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.126:80
iptables        -I FORWARD -p tcp --dport 80 -d 192.168.1.126 -j ACCEPT

As I find more tips, I will write them here, for you to read. ;-)


Written by Jannich Brendle man 14 september 2009 In How to

tags: howtoiptablesOpenWrt

Related posts

social