Posted: Sat Oct 16, 2021 3:25 Post subject: dd-wrt firewall—can the firewall script run shell programs
I took my iptables commands and put them into a shell script in a flashdrive mounted to /opt/. I set my firewall to that file via ddwrt>Administration>Commands
and rebooted. Nothing happened. So I thought maybe I need to directly call /bin/sh to get it to work. Still no dice.
The script is indeed committed:
Code:
root@ddwrt:/# nvram get rc_firewall
/bin/sh /opt/bin/myWall.sh
/bin/sh /opt/ddwrt-bwmon/firewall.sh
root@ddwrt:/tmp/var/log#
So, do scripts work in there? Would I do better to flip this to a startup script? _________________ Linksys WRT1900ACSv2 (v3.0-r47510) | Netgear WNDR3700v4 (DD-WRT v3.0-r34777) | Linksys WRT54Gv1 (DD-WRT v24 SP1)
@davidmoore in ddwrt>Administration>Commands scroll down until you see field USB Script.
Place your commands there(don't change anything,leave them as they are).
Remove them from the Firewall field though.
Save and reboot. If still no joy that's mean that there is something wrong with your scripts that will need your attention. _________________ Router: ASUS AC1900(RT-AC68U)
Joined: 08 May 2018 Posts: 14125 Location: Texas, USA
Posted: Sat Oct 16, 2021 4:33 Post subject:
You're going to have to actually copy and paste the actual script(s), if I am not mistaken. USB script is the same as the startup, shutdown, and firewall scripts. You have to input the actual script. USB might be one that runs on mount; I would have to verify that to be 100% sure, but AFAIK, you can't run a shell file from the scripts. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
It looks like you have actually saved it to Administration/Commands Save as Firewall.
But the script is not executed because the drive is not ready yet so you can do one of three things:
1. Add: Sleep 20
2. use a script to wait for the drive to be ready , there are several circulating on the forum.
3. Use the built-in script to wait, the script is /usr/bin/is-mounted.sh:
# wait until directory is mounted and writable
# usage: is-mounted.sh /name-of directory
# default is /jffs
So in your case in the Administration/Command Save as Firewall start with:
Code:
# wait for usb to come on line
is-mounted.sh /opt
# now start the script
/opt/myscript.sh
Joined: 08 May 2018 Posts: 14125 Location: Texas, USA
Posted: Sat Oct 16, 2021 11:15 Post subject:
Save USB should account for that, but I was not aware that you could execute shell script (*.sh) files from any of those, or had forgotten you could since I normally only call those from cron. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 04 Aug 2018 Posts: 1446 Location: Appalachian mountains, USA
Posted: Sat Oct 16, 2021 14:25 Post subject:
I see this hinted at here, but to be absolutely clear, yes, the shell code, whatever it is, in the Firewall window in the GUI is executed whenever the firewall is built. If you have it invoke a script, a script will be run. Even for firewall setup, it can be convenient to use more than just iptables commands. It's equivalent, for example, to have
for if in br0 wlan0 wlan1.1; do
iptables blah-i $if blah
done
in that GUI window. The difference between Startup and Firewall is that Startup is ordinarily run once only, at boot, but Firewall is run by various Apply steps and can even be run multiple times in the boot process, depending on your configuration. It's run anytime the firewall needs to be cleaned out and rebuilt. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
It looks like you have actually saved it to Administration/Commands Save as Firewall.
But the script is not executed because the drive is not ready yet so you can do one of three things:
1. Add: Sleep 20
This did it! ⤴
egc wrote:
2. use a script to wait for the drive to be ready , there are several circulating on the forum.
3. Use the built-in script to wait, the script is /usr/bin/is-mounted.sh:
# wait until directory is mounted and writable
# usage: is-mounted.sh /name-of directory
# default is /jffs
This did it even better!⤴
egc wrote:
So in your case in the Administration/Command Save as Firewall start with:
Code:
# wait for usb to come on line
is-mounted.sh /opt
# now start the script
/opt/myscript.sh
Awesome. Thanks so much for your insight! I was scratching my head over this one for a bit. https://github.com/vortex-5/ddwrt-bwmon added a .sh file in the firewall script (without waiting for /opt to be mounted and overwriting my firewall script in the process) so I realized that if modifications I make run the risk of messing up my nvram savings, I better just keep them centralized for easy restoration.