From: Mike Baker Date: Mon, 6 Mar 2006 08:53:48 +0000 (+0000) Subject: clean up firewall examples X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=05fe55e40d149cfc11a622e1931636936043fc85;p=openwrt%2Fsvn-archive%2Farchive.git clean up firewall examples SVN-Revision: 3319 --- diff --git a/openwrt/package/base-files/default/etc/firewall.user b/openwrt/package/base-files/default/etc/firewall.user index 7a13141623..c19f596887 100755 --- a/openwrt/package/base-files/default/etc/firewall.user +++ b/openwrt/package/base-files/default/etc/firewall.user @@ -11,17 +11,21 @@ iptables -t nat -F prerouting_rule iptables -t nat -F postrouting_rule ### BIG FAT DISCLAIMER -### The "-i $WAN" literally means packets that came in over the $WAN interface; -### this WILL NOT MATCH packets sent from the LAN to the WAN address. +## The "-i $WAN" is used to match packets that come in via the $WAN interface. +## it WILL NOT MATCH packets sent from the $WAN ip address -- you won't be able +## to see the effects from within the LAN. -### Allow SSH on the WAN interface +### Open port to WAN +## -- This allows port 22 to be answered by (dropbear on) the router # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT # iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT ### Port forwarding -# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2 -# iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT +## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2 +# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80 +# iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT -### DMZ (should be placed after port forwarding / accept rules) +### DMZ +## -- Connections to ports not handled above will be forwarded to 192.168.1.2 # iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2 # iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT