Posted: Tue Apr 20, 2021 4:07 Post subject: reload firewall?
I would like to add additional firewall rules that are stored in a script (startup.sh) on cifs automount network share. The script looks like
#!/bin/env bash
IP_FILE="/tmp/mnt/smbshare/ipblock/mylist"
for ip in $(cat "$IP_FILE"); do
echo "iptables -I FORWARD 1 -d $ip -j DROP"
echo "iptables -I OUTPUT 1 -d $ip -j DROP"
done
the script seems to run fine but the rules do not take effect. I decided to try and add " >> /tmp/.rc_firewall" in the following way:
#!/bin/env bash
IP_FILE="/tmp/mnt/smbshare/ipblock/mylist"
for ip in $(cat "$IP_FILE"); do
echo "iptables -I FORWARD 1 -d $ip -j DROP" >> /tmp/.rc_firewall
echo "iptables -I OUTPUT 1 -d $ip -j DROP" >> /tmp/.rc_firewall
done
After running I can "cat /tmp/.rc_firewall" and see the rules have been added to /tmp/.rc_firewall but it doesn't work. I think I need to reload the firewall to get the rules to take effect because iptables -nvL shows that they are not applied. I tried "service firewall stop && service firewall start" but this just clears the rules and uses whatever was saved in the gui. Even running iptables commands using "RUN COMMANDS" in the webgui has no effect. Of course "SAVE FIREWALL" works fine and I can see that the rules are updated using iptables -nvL.
Is it possible to add iptables rules to the firewall using a script? Thanks for any help!
Trying to add firewall rules based on the mounting of a USB drive is asking for trouble. The firewall script gets called independently of your USB drive being mounted.
Trying to add firewall rules based on the mounting of a USB drive is asking for trouble. The firewall script gets called independently of your USB drive being mounted.
If perhaps the list of IPs is so large it can't even be stored in nvram (i.e., the startup script itself), then why not just store the IPs and script in jffs and
It's not on a usb drive but on a mounted nas. I mainly wanted it for convenience, not because of size. I pipe out syslog to a raspberry pi that runs some scripts and generates a list of ips that are port scanning (websites like shodan etc.). I then would like to add those ips to a list that is updated when I reboot.
Quote:
call it from the firewall script? At least then you know the firewall rules will be available, and whenever the firewall is prepared to accept them.
This seems to work okay but I'm just worried that it will try to raise the firewall before the nas is mounted. I guess I can just use a sleep command though. Thanks!
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Tue Apr 20, 2021 6:21 Post subject:
There could be reasons the firewall restarts so you do not have to put all the rules in the firewall startup script but at least a reference to a script which adds these rules.
With the is-mounted.sh (/usr/bin/is-mounted.sh) utility you can wait for a NAS or usb drive to become online
Code:
# wait until directory is mounted and writable
# usage: is-mounted.sh /name-of directory
# default is /jffs
There could be reasons the firewall restarts so you do not have to put all the rules in the firewall startup script but at least a reference to a script which adds these rules.
With the is-mounted.sh (/usr/bin/is-mounted.sh) utility you can wait for a NAS or usb drive to become online
Code:
# wait until directory is mounted and writable
# usage: is-mounted.sh /name-of directory
# default is /jffs
That would be great but it doesn't seem to be working. Is the usage correct? I tried "is-mounted.sh /mnt/smbshare/firewall.sh" and "/usr/bin/is-mounted.sh /mnt/smbshare/firewall.sh" in the firewall script. Maybe my build is too old, I'm still on 44048.
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Tue Apr 20, 2021 9:04 Post subject:
There are scripts flying around to do that, you can add the following to the firewall, adapt the path if necessary.
This script looks for a file /jffs/usb-is-mounted.
(If it cannot find it it tries to write it after 40 seconds so the first time it always takes 40 seconds)
(i=0
until [[ -f /jffs/usb-is-mounted ]]; do
sleep 1
i=$((i+1))
if [[ $i -gt 40 ]]; then
logger "No USB mounted"
touch "/jffs/usb-is-mounted"
exit
fi
done
logger "USB $i seconds before mounted")
There are scripts flying around to do that, you can add the following to the firewall, adapt the path if necessary.
This script looks for a file /jffs/usb-is-mounted.
(If it cannot find it it tries to write it after 40 seconds so the first time it always takes 40 seconds)
(i=0
until [[ -f /jffs/usb-is-mounted ]]; do
sleep 1
i=$((i+1))
if [[ $i -gt 40 ]]; then
logger "No USB mounted"
touch "/jffs/usb-is-mounted"
exit
fi
done
logger "USB $i seconds before mounted")
But there are others also doing more or less the same
Great thanks. Actually, I think this IPSET thing you have in your sig might be a better choice but again I think my build is too old. I have a wrt1900ac and the new builds have wifi issues, hopefully these will be resolved soon and I can try the more advanced features.
The firewall script will run regardless of whether or not your USB drive is installed. Save the IPs and script to jffs and use it from the firewall script.