iptables question

Hans Fugal hans at fugal.net
Tue Nov 4 06:35:28 MST 2008


I'm not a fan of the OpenWRT firewall scripts (I have yet to meet a
one-size-fits-all firewall script that I even remotely like), so I just
hijack /etc/firewall.user with my own script which flushes the chains,
does its thing, then calls exit. Since this file is sourced by the
firewall boot script, you effectively commandeer the firewall.

Mike Lovell wrote:
> Stuart Jansen wrote:
>> On Mon, 2008-11-03 at 20:39 -0700, Mike Lovell wrote:
>>  
>>> As for the suggestion to reinstall the OS, I'm not entirely sure how
>>> to go about that. The machine is a Linksys NSLU2 that I hacked and
>>> loaded Debian on. Things were touchy getting it installed so I'd
>>> rather try other solutions first. Thanks though.
>>>     
>>
>> I was referring to the compromised file server. Surely that isn't a
>> linksys.
>>
>> As for your firewall problem, it's hard to debug a firewall without
>> looking at _all_ rules. If you're comfortable giving us the entire rule
>> set, run "iptables-save" and send us the output.
> Actually, the file server is another Linksys box. The NSLU2 is a neat
> little box that Linksys released a couple years ago. It has two USB 2.0
> ports and an Ethernet port. It is meant to share a USB drive on a
> network. Like many Linksys devices from the past, it was very hackable.
> I hooked up spare hard drive, installed Debian, set up a file share, and
> looked up two USB printers. It was worked relatively well for my parents
> and at the time was only $90. Good stuff.
> 
> After taking some time looking at the extra stuff that OpenWRT does, I
> found that in the middle of the FORWARD table, they redirect over to a
> new table called forwarding_rule. I was appending a rule to the end of
> FORWARD and nothing was ever getting there. I added some explicit
> accepts to the forwarding_rule table followed by a REJECT for everything
> else. And it appears to be working. I can do aptitude update and
> aptitude is able to pull the package lists but if I use links to go to
> google.com, I get a connection refused. So for anyone who wants to do
> something similar on a Linksys running OpenWRT, add your rules to
> forwarding_rule and not FORWARD.
> 
> Thanks everyone for the input.
> 
> Mike
> 
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */


-- 
Hans Fugal ; http://hans.fugal.net

There's nothing remarkable about it. All one has to do is hit the
right keys at the right time and the instrument plays itself.
    -- Johann Sebastian Bach



More information about the PLUG mailing list