brazerzkidaibanana.blogg.se - Firewall builder ddwrt default iptables

Firewall builder ddwrt default iptables how to#

When you use icmp protocol “-p icmp”, you can also specify the ICMP type using “–icmp-type” parameter.–icmp-type is for ICMP Type (for -p icmp) Possible values are: SYN, ACK, FIN, RST, URG, PSH.This can contain multiple values separated by comma.

Everything is same as –sport, except this is for destination ports.–dport is for destination port (for -p tcp, or -p udp) For example, 22:100 matches port number from 22 until 100. Using port number in the rule is better (for performance) than using port name./etc/services file contains all allowed port name and number.For example, to use SSH port in your firewall rule, use either “–sport 22” or “–sport ssh”. You can specify either the port number or the name.By default all source ports are matched.–sport is for source port (for -p tcp, or -p udp) For example, there are two hyphens in front of sport. Note: All of these options have two dashes in front of them. For example, to use “–sport” option, you should’ve specified “-p tcp” (or “-p udp”) parameter in your firewall rule.

To use these parameter options, you should specify the corresponding parameter in the firewall rule. Following are some of the most common options. Some of the above firewall parameters in turn has it’s own options that can be passed along with them.

If you don’t specify -o option, all available interfaces on the system will be considered for output packets.Īdditional Options for Firewall Parameters.

Indicates the interface through which the outgoing packets are sent through the INPUT, FORWARD, and PREROUTING chain.

If you don’t specify -i option, all available interfaces on the system will be considered for input packets.

For example: -i eth0 indicates that this rule should consider the incoming packets coming through the interface eth0.

Indicates the interface through which the incoming packets are coming through the INPUT, FORWARD, and PREROUTING chain.

However, -i for input interface and -o for output interface. Please note that both -i and -o are for interfaces.

You might over look this and assume that “-i” is for interface.

You can also specify other user defined chain as target value.

Possible values are ACCEPT, DROP, QUEUE, RETURN.

This specifies what needs to happen to the packet that matches this firewall rule.

This is same as “-s” (except this represents destination host, or ip-address, or network).Indicates the destination of the packet.When you don’t specify a source, it matches all source.For example: -s 192.168.1.101 indicates a specific ip address.This can be ip address, or network address, or hostname./etc/protocols file contains all allowed protocol name and number.Use either the name (for example: tcp), or the number (for example: 6 for tcp) for protocol.It is not a good practice to use “all”, and always specify a protocol. When you don’t specify -p, by default “all” protocols will be used. The following parameters are available for all kinds of firewall rules. If you don’t know what chain means, you better read about iptables fundamentals first. firewall-rule – Various parameters makes up the firewall rule.For example, use INPUT chain for incoming packets, and OUTPUT for outgoing packets. -A chain – Specify the chain where the rule should be appended.When you want to add any new rules, modify that shell script and add your new rules above the “drop all packets” rule. In that shell script, your last line should always be “drop all packets” rule. Once you’ve mastered the iptables, and when you are implementing it on production, you should use a shell script, where you use -A command to add all the rules. If you already have a rule to drop all packets, and if you try to use “-A” from the command-line to create new rule, you will end-up adding the new rule after the current “drop all packets” rule, which will make your new rule pretty much useless. Typically the last rule will be to drop all packets. But, keep in mind that “-A” adds the rule at the end of the chain.Īgain, it is very important to remember that -A adds the rule at the end. If it makes it easier for you to remember “-A” as add-rule (instead of append-rule), it is OK.

Firewall builder ddwrt default iptables how to#

# See url for more info - # Author: nixCraft under GPL v.2.This article explains how to add iptables firewall rules using the “iptables -A” (append) command. #!/bin/bash # Purpose: Block all traffic from AFGHANISTAN (af) and CHINA (CN).