Differences

This shows you the differences between two versions of the page.

doc:uci:firewall [2013/10/29 10:32]
zorun DNAT example: make it compatible with NAT reflection
doc:uci:firewall [2014/08/22 17:21] (current)
zorun Fix SSH redirection example
Line 90: Line 90:
//Redirects are also commonly known as "port forwarding", and "virtual servers".// //Redirects are also commonly known as "port forwarding", and "virtual servers".//
 +
 +Port ranges are specified as ''start:stop'', for instance ''6666:6670''.  This is similar to the iptables syntax.
The options below are valid for //redirects//: The options below are valid for //redirects//:
Line 134: Line 136:
  * If only ''dest'' is given, the rule matches //outgoing// traffic   * If only ''dest'' is given, the rule matches //outgoing// traffic
  * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule   * If neither ''src'' nor ''dest'' are given, the rule defaults to an //outgoing// traffic rule
 +
 +Port ranges are specified as ''start:stop'', for instance ''6666:6670''.  This is similar to the iptables syntax.
Valid options for this section are: Valid options for this section are:
Line 261: Line 265:
This example enables machines on the internet to use SSH to access your router. This example enables machines on the internet to use SSH to access your router.
-==== Forwarding ports (Destination NAT/DNAT) ====+==== Port forwarding for IPv4 (Destination NAT/DNAT) ====
This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10: This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10:
Line 277: Line 281:
<code> <code>
-config 'redirect' +config redirect 
-        option 'name' 'ssh' +        option src      wan 
-        option 'src' 'wan' +        option src_dport 5555 
-        option 'proto' 'tcpudp' +        option proto     tcp 
-        option 'src_dport' '5555' +        option dest      lan 
-        option 'dest_ip' '192.168.1.100' +        option dest_ip   192.168.1.100 
-        option 'dest_port' '22+        option dest_port 22 
-        option 'target' 'DNAT' +</code> 
-        option 'dest' 'lan'+ 
 +==== Port forwarding for IPv6 ==== 
 + 
 +To open port 80 so that a local webserver at ''2001:db8:42::1337'' can be reached from the Internet: 
 + 
 +<code> 
 +config rule 
 +        option src      wan 
 +        option proto    tcp 
 +        option dest      lan 
 +        option dest_ip  2001:db8:42::1337 
 +        option dest_port 80 
 +        option family    ipv6 
 +        option target   ACCEPT 
 +</code> 
 + 
 +To open SSH access to all IPv6 hosts in the local network: 
 + 
 +<code> 
 +config rule 
 +        option src      wan 
 +        option proto    tcp 
 +        option dest     lan 
 +        option dest_port 22 
 +        option family    ipv6 
 +        option target    ACCEPT 
 +</code> 
 + 
 +To open all TCP/UDP port between 1024 and 65535 towards the local IPv6 network: 
 + 
 +<code> 
 +config rule 
 +        option src      wan 
 +        option proto    tcpudp 
 +        option dest      lan 
 +        option dest_port 1024:65535 
 +        option family    ipv6 
 +        option target    ACCEPT
</code> </code>
Line 478: Line 519:
<code> <code>
config zone config zone
 +        option name            example
        option input            ACCEPT         option input            ACCEPT
        option output          ACCEPT         option output          ACCEPT
Line 492: Line 534:
<code> <code>
config zone config zone
 +        option name            example
        option input            ACCEPT         option input            ACCEPT
        option output          ACCEPT         option output          ACCEPT
Line 508: Line 551:
<code> <code>
config zone config zone
 +        option name            example
        option input            ACCEPT         option input            ACCEPT
        option output          ACCEPT         option output          ACCEPT
Line 546: Line 590:
option dest lan option dest lan
option src wan6 option src wan6
 +#you don't need the below as you can a firewall rule to open the port that you need
config forwarding config forwarding
option dest wan6 option dest wan6
Line 603: Line 647:
When connection attempts are //dropped// the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented, this could result in frozen or hanging programs that need to wait until a timeout occurs before they're able to continue. When connection attempts are //dropped// the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented, this could result in frozen or hanging programs that need to wait until a timeout occurs before they're able to continue.
 +
 +Also there is an interesting article which that claims dropping connections doesnt make you any safer - [[http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject|Drop versus Reject]].
**DROP** **DROP**

Back to top

doc/uci/firewall.1383039171.txt.bz2 · Last modified: 2013/10/29 10:32 by zorun