OpenWrt Forum Archive

Topic: firewall settings in nvram

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
rayslinky
31 Dec 2005, 20:29

I'm a fan of saving the firewall settings in nvram, much like (i think) dd-wrt does. Accordingly, I have rewritten firewall.user to read from the nvram setting forward_spec -- I am also working on a web page to make setting these easier, but I haven't used haserl before, so there is a bit of a learning curve.

This firewall.user script only handles port forwarding, so far:

#!/bin/sh
# set WAN to the wan_ifname from nvram
WAN=$(nvram get wan_ifname)

# clear out the firewall rules
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule

# function to set forwarding rules
forward_rule () {
  PROTO=$1
  DPORT=$2
  IP=$3
  # if destination port isn't provided, pass nothing to iptables
  if [ -n "$4" ]
    then
      DEST="$IP:$4"
    else
      DEST=$IP
  fi

  # if the destination port is a range, replace the - with a : AND don't pass the destination port to --to
  if ( echo $DPORT | grep -q '-' )
  then
    DPORT=`echo $DPORT | sed 's/-/:/'`
    DEST=$IP
  fi

  # set the rules    
  echo "FORWARDING $PROTO:$2 TO $DEST"
  iptables -t nat -A prerouting_rule -i $WAN -p $PROTO --dport $DPORT -j DNAT --to $DEST
  iptables        -A forwarding_rule -i $WAN -p $PROTO --dport $DPORT -d $IP -j ACCEPT
}

# go through the nvram setting "forward_spec", setting rules accordingly 
# forward_spec should be a space separated list, set as:
#          service_name:on|off:proto:forward_port(s):dest_ip[:dest_port]
# EXAMPLE: ssh:on:both:22:192.168.1.2:22 
# EXAMPLE: bittorrent:on:tcp:6881-6999:192.168.1.3
for i in `nvram get forward_spec`
do
  # set variables for the rule
  eval "set $(echo $i | sed 's/:/ /g')"

  # only do this if the rule is currently enabled
  if [ "$2" = "on" ]; then

    # one protocol or both tcp/udp
    if [ "$3" = "both" ]
      then
        forward_rule tcp $4 $5 $6
        forward_rule udp $4 $5 $6
      else
        forward_rule $3 $4 $5 $6
    fi
  fi
done
Post #2
rayslinky
1 Jan 2006, 02:56

The web configuration for the firewall (/www/cgi-bin/webif/firewall.sh):

#!/usr/bin/haserl
<? 
. /usr/lib/webif/webif.sh

create_fwform() {
                echo "<tr>
                     <td><input type=\"text\" name=\"service_$1\" value=\"$2\" size=16></td>
                     <td><select id="protocol" name="protocol_$1">"
                 [ "$4" = "both" ] || [ "$4" = "" ] && echo '<option value="both" selected="selected">both</option> <option value="tcp">tcp</option> <option value="udp">udp</option>'
                 [ "$4" = "tcp" ] && echo '<option value="both">both</option> <option value="tcp" selected="selected">tcp</option> <option value="udp">udp</option>'
                 [ "$4" = "udp" ] && echo '<option value="both">both</option> <option value="tcp">tcp</option> <option value="udp" selected="selected">udp</option>'
                 echo "</select></td>
                       <td><input type=\"text\" name=\"port_$1\" size=9 value=\"$5\"></td>
                       <td><input type=\"text\" name=\"ip_$1\" size=16 value=\"$6\"></td>
                       <td><input type=\"text\" name=\"destport_$1\" size=6 value=\"$7\"></td>
                       <td><select id=\"enable\" name=\"enable_$1\">"
                 [ "$3" = "on" ] && echo '<option value="on" selected="selected">Enabled</option> <option value="off">Disabled</option>'
                 [ "$3" != "on" ] && echo '<option value="on">Enabled</option> <option value="off" selected="selected">Disabled</option>'
                 echo "</select></td></tr>"
}
eval_param(){
  if [ -n "`eval echo -n $1`" ] && [ -n "`eval echo -n $2`" ] && [ -n "`eval echo -n $3`" ] && [ -n "`eval echo -n $4`" ]
  then
    return 0
  else
    return 1
  fi
}
apply_fwchanges() {
                  I=1
                  while [ "$I" -lt "$FORM_count" ]
                  do
                    if ( eval_param "\$FORM_service_$I" "\$FORM_protocol_$I" "\$FORM_port_$I" "\$FORM_ip_$I" )
                    then
                      if [ -n "$NEWRULE" ]
                      then
                        NEWRULE="$NEWRULE \$FORM_service_$I:\$FORM_enable_$I:\$FORM_protocol_$I:\$FORM_port_$I:\$FORM_ip_$I:\$FORM_destport_$I"
                      else
                        NEWRULE="\$FORM_service_$I:\$FORM_enable_$I:\$FORM_protocol_$I:\$FORM_port_$I:\$FORM_ip_$I:\$FORM_destport_$I"
                      fi
                    fi
                    I=`expr $I + 1`
                  done
                  save_setting firewall forward_spec "`eval echo $NEWRULE`"
}
header "Network" "Firewall" "Configure firewall" ''

if ! empty "$FORM_submit"; then
  apply_fwchanges
fi

load_settings firewall
RULES=${forward_spec:-$(nvram get forward_spec)}

echo "<form enctype=\"multipart/form-data\" method=\"post\">
      <table>
      <tr><td>Service</td><td>Protocol</td><td>Port(s)</td><td>IP Address</td><td>Dest Port</td><td>Enabled</td></tr>"
COUNT=0
for rule in $RULES
do
  eval "set $(echo $rule | sed 's/:/ /g')"
  COUNT=`expr $COUNT + 1`
  create_fwform "$COUNT" "$1" "$2" "$3" "$4" "$5" "$6"
done
for rule in 1 2 3 4 5
do
  COUNT=`expr $COUNT + 1`
  create_fwform "$COUNT" "" "" "" "" "" ""
done
echo '</table>'
echo "<input type=\"hidden\" name=\"count\" value=\"$COUNT\">
      <input type=\"submit\" name=\"submit\" value=\"Update Changes\" />
      </form>"

footer ?>
<!--
##WEBIF:name:Network:5:Firewall
-->

I also had to make the following change to /usr/lib/webif/apply.sh:

--- apply.sh.orig       2005-12-31 20:49:16.501416792 -0500
+++ apply.sh    2005-12-31 20:49:04.664216320 -0500
@@ -6,6 +6,7 @@
        wireless) reload_wireless;;
        network) reload_network;;
        system) reload_system;;
+        firewall) reload_firewall;;
 '
 HANDLERS_file='
        hosts) rm -f /etc/hosts; mv $config /etc/hosts; killall -HUP dnsmasq ;;
@@ -42,6 +43,10 @@
        echo "$(nvram get wan_hostname)" > /proc/sys/kernel/hostname
 }
 
+reload_firewall() {
+        /etc/init.d/S45firewall
+}
+
 cd /tmp/.webif
 
 # file-*               other config files

(Last edited by rayslinky on 1 Jan 2006, 02:59)

Post #3
bx
3 Jan 2006, 14:21

it's pretty good rayslinky since you made those settings to nvram i hope you would know my pain i have, and at least you could be honest if this option i asked is possible to make in my wrt54g v4, this is the URL i posted:

http://forum.openwrt.org/viewtopic.php?id=3261

i just wanted honest answer if some firewallscript like you wrote could help me with that.

Thanks in advance

The discussion might have continued from here.