[Tfug] firewall help

Bowie J. Poag bpoag at comcast.net
Sun Feb 19 22:57:36 MST 2006


Not to be obnoxious (heh, tall order, I know..) but why are you using 
OpenWRT? What are you gaining, other than a homebrew headache over a 
commercial headache, in the end?  Just curious. Whats OpenWRT have that 
a stock wrt54g doesn't offer?

Cheers,
Bowie



John Gruenenfelder wrote:

>I just upgraded my wrt54g router to the newest (rc4) release of OpenWRT.  The
>change was necessary to do some VOIP traffic shaping later.
>
>But... in doing so I seem to have messed up the very simple firewall.  It's
>mostly working, though.  All traffic on the LAN/wifi interfaces is fine as is
>all outbound and masqueraded traffic.
>
>What's not working is the blanket forwarding.  Before, I had it set up to
>forward all incoming traffic to a machine on the LAN where I run my services.
>But now that machine is no longer reachable.  All incoming connections go into
>the void.
>
>Unfortunately, this little problem demonstrates my lack of networking and
>firewall knowledge.  So... I'm not entirely sure where my problem lies.  Here
>is the output from "iptables -L -n":
>
>root at bebop:/etc/init.d# iptables -L -n
>Chain INPUT (policy DROP)
>target     prot opt source               destination         
>DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
>DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp option=!2 flags:0x02/0x02 
>input_rule  all  --  0.0.0.0/0            0.0.0.0/0           
>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
>ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
>ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0           
>REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
>REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
>
>Chain FORWARD (policy DROP)
>target     prot opt source               destination         
>DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
>TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
>forwarding_rule  all  --  0.0.0.0/0            0.0.0.0/0           
>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
>
>Chain OUTPUT (policy DROP)
>target     prot opt source               destination         
>DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
>output_rule  all  --  0.0.0.0/0            0.0.0.0/0           
>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
>REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
>REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
>
>Chain forwarding_rule (1 references)
>target     prot opt source               destination         
>ACCEPT     all  --  0.0.0.0/0            192.168.0.3         
>
>Chain input_rule (1 references)
>target     prot opt source               destination         
>
>Chain output_rule (1 references)
>target     prot opt source               destination         
>
>
>The machine at 192.168.0.3 is my server.
>
>My best guess is that the new OpenWRT has a default DROP policy.  And if I
>want anything to get in then I'll have to allow those specific ports.  If
>that's the case, I'm fine with that.  But I'd like to know what the problem is
>first before I start mucking around with the firewall and potentially hose it
>even further.
>
>Any ideas?
>
>
>  
>



More information about the tfug mailing list