On 2013-09-17 23:45, Jeremy Visser wrote:
On 09/17/2013 10:23 PM, Matthew Cengia wrote:
Given you're running Kamikaze, you're unlikely to have the iptables-utils package installed (you may be able to install it, giving you the iptables-save and iptables-restore commands; a script using these would be quicker), so in its absense:
I should probably mention at this point that custom firewall rules for OpenWrt should be entered as iptables commands in /etc/firewall.user (basically a glorified shell script, but it gets called at the appropriate point during network initialisation).
I would *not* encourage the use of iptables-{save,restore} on OpenWrt, as you will be overwriting the existing rules, and any network interface changes will not be reflected in the firewall structure if you're modifying an old and shaggy iptables dump.
If you absolutely *insist* on loading your rules with iptables-restore (NOT recommended), you should probably disable the built-in firewall script (I'll leave doing that as an exercise to the reader *cough*/etc/init.d/firewall disable*cough*).
Yes, care must be taken in this instance, and you make a couple of good points here. It's worth remembering that running iptables-restore needn't blow away your entire ruleset, specifically when passed '-n'. Historically, I had something like this in /etc/firewall.rules: iptables -N log_incoming iptables -N log_outgoing { echo '*filter' ip=1 while [ "$ip" -lt 255 ]; do echo "-A log_incoming -d 192.168.2.$ip" echo "-A log_outgoing -s 192.168.2.$ip" let ip=ip+1 done echo 'COMMIT' } | iptables-restore -n iptables -I FORWARD -j log_incoming iptables -I FORWARD -j log_outgoing This saves *lots* of time because you're only running 5 iptables commands instead of over 200, and given that each change made using 'iptables' basicaly reads, edits, and write the full table every time, this is much neater. Also, worth noting is that at least in this instance, it's not necessary to specify a network interface. -- Regards, Matthew Cengia