Basic help with firewall rules/IP tables

[dyce1980]

Did some searching and cannot find any basic info for noobs on how to implement firewall settings...I am in the process of testing different VPN services and one wants me to add/run this:

iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
iptables -I INPUT -i tap0 -j REJECT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE

What exactly does this do, and how would I go about adding it? Creating a firewall-start script and sshing it into the jffs folder? But then how do I know it's running? Forgive me but although very tech savvy, this is one area of the tech world I have not had to deal with much... thanks in advance for any help!

 

[RMerlin]

Did some searching and cannot find any basic info for noobs on how to implement firewall settings...I am in the process of testing different VPN services and one wants me to add/run this:

iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
iptables -I INPUT -i tap0 -j REJECT
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE

What exactly does this do, and how would I go about adding it? Creating a firewall-start script and sshing it into the jffs folder? But then how do I know it's running? Forgive me but although very tech savvy, this is one area of the tech world I have not had to deal with much... thanks in advance for any help!

You do not have to enter any of these. They are automatically added by the firmware when you configure an OpenVPN client.

 

[jobongo]

Iptables is basically the firewall for linux. The rules that you gave are very basic rules to permit traffic and to do NAT (network address translation).

iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -o br0 -j ACCEPT

These two rules tell the firewall that the traffic into the br0 interface and destined to the tap0 interface to be allowed. The second rule is the same but in reverse.

iptables -I INPUT -i tap0 -j REJECT

This simply says to reject (send a message back saying that the packet did not reach the destination) all packets going into the tap0 interface.

iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE

This is where the NATting is taking place. This line says packets going out of the tap0 interface make it look like they originated from the tap0 interface. This is what most routers do when acting as gateways. This is not the only way to do NATting.

This is really and oversimplification of what these rules are and what they do. iptables can be very complex and if you want to learn more here is a site for the Linux man page http://linux.die.net/man/8/iptables

As far as your other question, this is easy to check. You can go to runcmd tab in tools and type

iptables -L FORWARD -v

or

iptables -t nat -L POSTROUTING -v

These are case sensitive btw.

These will give you the output of the chains POSTROUTING and FORWARD in the nat and filter tables. A good ssh tool is Putty. Make sure to enable ssh in the web interface before trying to connect.

Hope that answers your question.