openwrt

noob iptables cheat sheet

Notes:

  1. All rules are processed from top to down.  Once a rule is matched (with jump), the rest will be ignored.
  2. Never run iptables -F if the default rules are DROP or your system will be inaccessible.  If possible, set the default rule to ACCEPT and add iptables -A INPUT -j DROP at the end.

List all rules

iptables -L -n -v –line-numbers

Flush all chains (-F) and delete all user-defined chains chains (-X)

Note: Please ensure the default policy is ACCEPT or leave a ssh terminal before issuing

iptables -F

iptables -X

Set default policy (use with care)

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

Block incoming ip address

iptables -A INPUT -s aa.bb.cc.dd -j DROP

Block outgoing sites

iptables -A OUTPUT -p tcp -d  www.microsoft.co.uk -j DROP

Allow ping from specific ip’s only

iptables -A INPUT -s 1.2.3.0/24   -p icmpicmp-type echo-request -j ACCEPT

iptables -A INPUT -p icmpicmp-type echo-request -j DROP

Allow ssh from specific ip’s only

iptables -A INPUT -s 1.2.3.0/24   -p tcp —dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp —dport 22 -m state –state NEW,ESTABLISHED -j DROP

Block incoming web access

iptables -A input -p tcp —dport 80 -j DROP

Port forward

Forward incoming connection to another internal host (aa.bb.cc.dd:22)

iptables -t nat -A PREROUTING -I eth0 -p tcp —dport 1022 -j DNAT –to aa.bb.cc.dd:22

iptables -A FORWARD -p tcp -d aa.bb.cc.dd dport 22 -m state –state NEW,ESTABLISH -j ACCEPT

Delete a rule

iptables -L -n -v –line-numbers

iptables -D input {line-number}

 Download PDF

iptables-cheat-sheet

Openwrt sysupgrade on x86 (barrier breaker)

WARNING: Before upgrading, you should backup the system first!!!

Disclaimer: This is just my experience.  It is not guarantee the steps listed will work on your system.

 

Openwrt upgrade on x86 can be very tricky in the old days.  However, it becomes an easy task starting from attitude adjustment (12.09) and onward.

The following lists the steps to upgrade to the latest snapshot (barrier breaker).  You should change the image to be downloaded in step 4 for the desired version.

  1. Do a full system backup to avoid any lost.  This is very import!!!
  2. login the system as root
  3. cd /tmp
  4. wget http://downloads.openwrt.org/snapshots/trunk/x86/openwrt-x86-generic-combined-ext4.img.gz
  5. sysupgrade -v /tmp/openwrt-x86-generic-combined-ext4.img.gz

Image

Openwrt in Hyper-V

Want to add a openwrt machine in hyper-v for testing?  Sadly, the openwrt did not include the hyper-v device driver for the network device.

(Un)luckily there is a legacy network driver in hyper-v that can be used in openwrt.

Steps to add openwrt machine inside hyper-v:

  • In hyper-v, add a machine with 64-128MB ram, legacy network device.
  • Copy the openwrt image to the virtual hard disk.
  • Mount the virtual hard disk (mount /dev/sda2 /mnt) and copy the tulip driver to the hard disk.
  • Boot the openwrt machine.
  • Inside the openwrt machine, add the tulip driver (cd /; opkg install kmod-tulip_3.3.8-1_x86.ipk)
  • ifconfig -a to check the name of the network device.
  • Modify /etc/config/network as usual and restart the network (or reboot).