I just had to like that reply.
So yes, I do apologize I should elaborate a bit. This is an example of section of rules I have:
Code:
# --------- Access to user ABC -----------------------------
iptables -A INPUT -s 101.101.101.101 -p tcp -m multiport --dports 20002,20001 -j ACCEPT
iptables -A INPUT -s 101.101.101.101 -p tcp -j ACCEPT
iptables -t nat -I PREROUTING -s 101.101.101.101 -p tcp --dport 20001 -j DNAT --to 10.10.0.10:22
iptables -I FORWARD -p tcp -d 10.10.0.10 --dport 22 -j ACCEPT
iptables -t nat -I PREROUTING -s 101.101.101.101 -p tcp --dport 20002 -j DNAT --to 10.10.0.10:1001
iptables -I FORWARD -p tcp -d 10.10.0.10 --dport 1001 -j ACCEPT
# --------- Access to user ABC (end) -----------------------------
This allows me to keep some blocks, that are altogether meant for a specific purpose, instead of having it split up between separate startup scripts. I can simply disable an entire section of rules that is meant for a specific purpose without having to remember or figure out which NAT rules correlates with which custom rule. Based on these definitions:
firewall-start
Called after the firewall got started and filtering rules have been applied. This is where you will usually put your own custom rules in the filter table (
but not the NAT table). The script receives the WAN interface name (e.g. ppp0) as an argument which can be used in the script using $1.
nat-start
Called after NAT rules (i.e. port forwards and such) have been applied to the NAT table. This is where you will want to put your own NAT table custom rules (e.g. a port forward that only allows connections coming from a specific IP).
Thinking what I need to do is:
firewall-start:
iptables -A INPUT -s 101.101.101.101 -p tcp -m multiport --dports 20002,20001 -j ACCEPT
iptables -A INPUT -s 101.101.101.101 -p tcp -j ACCEPT
iptables -I FORWARD -p tcp -d 10.10.0.10 --dport 22 -j ACCEPT
iptables -I FORWARD -p tcp -d 10.10.0.10 --dport 1001 -j ACCEPT
nat-start:
iptables -t nat -I PREROUTING -s 101.101.101.101 -p tcp --dport 20001 -j DNAT --to 10.10.0.10:22
iptables -t nat -I PREROUTING -s 101.101.101.101 -p tcp --dport 20002 -j DNAT --to 10.10.0.10:1001
Probably really dump ask but I'd prefer NOT to split the rules up. My goal is not to rewrite every rule and having to retest. I just want to dump a set of iptables rules from my old router and just paste them into the Asus Merlin one
as-is.
The link you provided is definitely helpful in terms of refining some of the old cr@p I have on the old router, but at a cost of a lot of time and retesting each rule. Hoping to avoid that.
Thx