What's new

ASUS-wrt Entware plus adding additional firewall rules

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Z06Frank

New Around Here
I'm new with using Entware on a ASUS RT-AX88U running latest ASUS-wrt Merlin firmware 386.1.2. I recently set up Entware (and Skynet, Diversion, pixelserv-tsl, etc...). All is good with what I've added and set up was fairly easy using this post below:

https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/#post-483441

Now I trying to learn how to add additional firewall rules to the router side on a LAN set up that has a fully functioning pihole (raspberry pi3B+) and Linux OMV server (new Kobol Helios64 on latest armbian and OMV). The Server is new and I'm going down the rabbits hole with trying to get Wireguard VPN to work on the OMV server via docker compose. Either way my question is adding new firewall rules via SkyNet (I think). I followed this post without success (other than breaking SkyNet's internet connection...and repairing it with updates/and the help menus):

https://github.com/RMerl/asuswrt-merlin.ng/wiki/Installing-Transmission-through-Entware

Here are the iptable firewall rules I'd like to add (they are some NAT redirect rules for mi pihole (.103) and forcing port forward of 51820 for Wireguard):

iptables -t nat -A PREROUTING -s 192.168.1.103 -j ACCEPT
iptables -t nat -A PREROUTING -d 192.168.1.1 -j ACCEPT
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 192.168.1.103
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 192.168.1.103

iptables -I INPUT -p udp --destination-port 51820 -j ACCEPT

How and where do I add these rules via Entware? I have "nano" active and working for file editing. Do I add these rules to "firewall-start"?

Here are my files on my USB3.0:

XXXnet@RT-AX88U:/tmp/home/root# cd /tmp/mnt/data/
XXXnet@RT-AX88U:/tmp/mnt/data# ls
entware lost+found myswap.swp skynet

Here are my jffs scripts folders

XXXnet@RT-AX88U:/tmp/home/root# cd /jffs/scripts/
XXXnet@RT-AX88U:/jffs/scripts# ls
YazDHCP firewall post-mount service-event services-stop
dnsmasq.postconf firewall-start scmerlin services-start unmount

New noob in the Entware world help......thanks:)
 
The firewall (and its rules) has nothing to do w/ Entware, so you would add firewall rules like you always do, Entware or no Entware; using a nat-start script for NAT rules, and firewall-start for all others.

That said, whether those rules as presently constructed are going to result in the change of behavior you desire remains a question. I don't fully understand the intent. I can only draw inferences based on what it appears to be doing, but I may be wrong.
 
Last edited:
As I learn Entware further I'm sure I'll get the understanding of underlying uses/applications. Then I should rephrase my question.....how does one add a properly build NAT rules file and execute it?

I'm assume it will go in the "/jffs/scripts/" folder and be called "nat-start"; and begin with the typical "#!/bin/sh" scripting. Attached is what I built so far.....

If this is correct how do I execute it?
 

Attachments

  • nat-start.txt
    335 bytes · Views: 165
As I learn Entware further I'm sure I'll get the understanding of underlying uses/applications. Then I should rephrase my question.....how does one add a properly build NAT rules file and execute it?

I'm assume it will go in the "/jffs/scripts/" folder and be called "nat-start"; and begin with the typical "#!/bin/sh" scripting. Attached is what I built so far.....

If this is correct how do I execute it?

Yes. And JFFS and JFFS scripts has to be enabled in Administration->System. And the script has to be marked executable w/ chmod. Once the system reboots, it will automatically be executed at the proper time.
 
If this is correct how do I execute it?
The router normally executes user scripts automatically at the appropriate time (given the settings in the previous post). If you want to force the router to pick up any changes to your script you can either reboot the router or issue the following command: service restart_firewall

P.S. You have posted your question in the wrong forum as your question is specific to Merlin's firmware.
 
Guys.....you both answered my questions; and I what to do now. One last question and I'll be finished (and anything further on Merlin support I will move to the proper forum. I read that ASUS router /Jffs/scripts don't survive reboots, power losses, etc....

Is this true? From your answer above this seems not the case....please confirm. Thanks......
 
I read that ASUS router /Jffs/scripts don't survive reboots, power losses, etc....
Not true. However, they will be wiped out if you select the option to "reformat jffs" or do a factory reset with the "initialise" option checked. There are options in the GUI to backup or restore the jffs partition.
 
That's makes perfect sense.....there's so much misinformation across the web sometimes its hard to to disseminate bad info.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top