iptables access from specified ip to router

[spikehome]

Hello,

I made in my /jffss/scripts a file called firewall-start and make that executable.

I want to access my router trought the web interface from specified ip adresses.
The web interface runs at port 5445
and i made a rule in the firewall-start file likt this:
iptables -I INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port 5445 -j ACCEPT
iptables -I INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port 22 -j ACCEPT

One rule for the webaccess and one for the ssh access.
Are the rules right?

Als i want to make a rule to access a web service behind the router from the specified adress.
What rule must i use?
want to access it from port 8081 outsite to port 80 inside ip 192.168.xxx.xxx


edit:
seems when i change something at the webinterface like Patentcontrol i need to execute the firewall-script?

Regards

 

[RMerlin]

Make sure you did enable custom script support under Administration -> System, that the script is executable, starts with a shebang, and is encoded with UNIX, not Windows end of lines.

 

[spikehome]

Tnx RMerlin,

Checked the settings at administration/system and it was on.
Also added the line with vi trough ssh console.

script location = /jffss/scripts/firewall-start
and it's executable
I can start it with "sh /jffss/scripts/firewall-start"

But the iptable rule is fine?

 

[spikehome]

Testet de firewall with the site grc.com shieldsup
Saw that some ports are open?
port 135, 137, 138 and 445
Not opening any ports!!

 

[RMerlin]

Testet de firewall with the site grc.com shieldsup
Saw that some ports are open?
port 135, 137, 138 and 445
Not opening any ports!!

If the test really states "Open" (and not just "not stealthed"), then either you have disabled the router's firewall, or your ISP is doing some weird filtering on those ports that confuses the tests.

These ports are definitely not allowed in by the router when in default mode.

 

[RMerlin]

Tnx RMerlin,

Checked the settings at administration/system and it was on.
Also added the line with vi trough ssh console.
View attachment 4547

script location = /jffss/scripts/firewall-start
and it's executable
I can start it with "sh /jffss/scripts/firewall-start"

But the iptable rule is fine?

Try specifying the full path to iptables. It's advisable in scripts, as the context in which these scripts are run might not always have a full search path.

 

[spikehome]

If the test really states "Open" (and not just "not stealthed"), then either you have disabled the router's firewall, or your ISP is doing some weird filtering on those ports that confuses the tests.

These ports are definitely not allowed in by the router when in default mode.

Hmm u could be right because my cable modem is in bridge mode.
but ports are open not stealth

Try specifying the full path to iptables. It's advisable in scripts, as the context in which these scripts are run might not always have a full search path.

will try tonight.
At the moment at work and also cannot login with openvpn.

tnx anyway and wil put here my answer

 

[spikehome]

sadly enough no success.
tryed install latest merlin from recovery mode asus.
But my configuration was still there :S
installed tomato with the recovery mode and tomato seems to have also my configuration very rare.
EDIT: reset nvram did the trick
rules in muy firewall-start seems not to work.
what do i wrong

 

[spikehome]

back again.
turned on remote access ssh
So i can test from the internet.
ssh connection to my router works
loggedin to my router
type : vi /jffs/scripts/firewall-start
there is:
/usr/sbin/iptables -I INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port 5445 -j ACCEPT
quits with :wq or when nothing is changed :q!

then type:
ls -l /jffs/scripts/firewall-start
-rwxrwxrwx 1 admin root 88 Sep 30 11:12 /jffs/scripts/firewall-start
so it is executable.
type sh /jffs/scripts/firewall-start
goto browser and type my remote dns and port.
and i have my webaccess page from the router.
reboot the router try again and no access to the webpage.

it seems the script is not start after a reboot or tuned on the router