I have noticed a lot of people have issues with iptables on openwrt, so I have gathered a few tips that I've used myself.
All the examples should be put in the file /etc/iptables.user on your openWrt router, and you should restart iptables every time you insert a rule with this command /etc/init.d/firewall restart.
Blocking a single IP address
This will block an IP address completely, ie. no connections to or from that ip address will be allowed.
iptables -A input_wan -s 22.214.171.124 --jump REJECT iptables -A forwarding_rule -d 126.96.36.199 --jump REJECT
Blocking a port range
This will reject any outgoing connections to the internet, in the portrange you specify.
In this example, the port range is 6000-60000, and only TCP connections is blocked.
iptables -A forwarding_rule -p tcp --dport 6000:60000 --jump REJECT
Allowing connections on a port on the router from the internet
This could be useful if you are running transmission on openwrt for instance.
Let's say you're running a service on port 4000. You could enable internet connectivity like this:
iptables -t nat -A prerouting_wan -p tcp --dport 4000 -j ACCEPT iptables -A input_wan -p tcp --dport 4000 -j ACCEPT
Forwarding a port to a computer on the LAN
This is useful if you are hosting your own webserver, for instance. In the example, every request to port 80 from the internet will be forwarded to 192.168.1.126.
Please note that this will not work if you are running a webserver on port 80 on the router.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.126:80 iptables -I FORWARD -p tcp --dport 80 -d 192.168.1.126 -j ACCEPT
As I find more tips, I will write them here, for you to read. ;-)
Written by Jannich Brendle man 14 september 2009 In How to