[cyberdev]

Hi all,
i'm looking for a solution to enable or disable a firewall rule automaticly.
I have created a rule on GUI:
Forward src Port 443 to dsc port 443 to a specific IP in my network. The rule is disabled.

If i start a script on my raspberry, the script should open / enable port 443 portforwarding rule - than do some magic stuff - and than close / disable the rule again.

This could be done by SSH or SNMP (i think SNMP is not possible, didnt find anything like that).


I'm not the king of iptables -j NAT SRC DST bla and so on ... (i hate that) - but if someone have a line with a iptables rule wich i can send over ssh to do that, that would be also helpfull maybe

[egc]

To get optimal support always state router model and build number.

I will transfer this thread to the Advanced Networking forum as it can be of interest to us all

To remotely execute scripts has been discussed earlier have a look at:
https://www.cyberciti.biz/faq/unix-linux-execute-command-using-ssh/

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330779

https://wiki.dd-wrt.com/wiki/index.php/Telnet/SSH_and_the_Command_Line

Portforwading consists of a FORWARD rule and a DNAT rule
https://wiki.dd-wrt.com/wiki/index.php/Port_Forwarding
https://wiki.dd-wrt.com/wiki/index.ph/Iptables_command

e.g.:

[cyberdev]

Oh, sorry - its a R7000 with r47608
I know how i can create and execute scripts and everything - only iptables i'm not experienced with
so i would need a sample for


Enable Portforwarding
iptables -j xyz src_prt 443 dst_prt 443 dst_ip 192.168.1.222


Disable Portforwarding
iptables -j xyz src_prt 443 dst_prt 443 dst_ip 192.168.1.222


OR set the pre created rule on GUI to 1 or 0 (like ticking the box on GUI)

[egc]

How to make the portforwarding rules is outlined in my earlier post

Place it in a script and then execute that script.

Enabling/Disabling it in the GUI is in theory an option but the portforwarding rules are in one long string in nvram, in theory you can sed on/off in it save and then restart the firewall but just putting the rules in a script and executing seems easier and you do not need to restart the whole firewall

Of course you need two scripts one to -I insert the rules and the other script to -D delete the rules

[cyberdev]

Thanks again
ah that was one thing what was not clear -> -D to delete the rule at the end of the script.


so for open the port it would be:
iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.1.222:443
iptables -I FORWARD -p tcp -d 192.168.1.222 --dport 443 -j ACCEPT ->>> needed? [-s <EXTERNAL_IP>]


And to close it later:
iptables -t nat -D PREROUTING -p tcp --dport <EXTERNAL_PORT> -j DNAT --to <INTERNAL_IP>:<INTERNAL_PORT>
iptables -D FORWARD -p tcp -d <INTERNAL_IP> --dport <INTERNAL_PORT> -j ACCEPT


Correct?
do i need "[-s <EXTERNAL_IP>]"

[egc]

No you do not need the [-s <EXTERNAL_IP>] it is if you only allow from a known source

Otherwise it looks fine at first glance

[cyberdev]

okay, it works now - after a little bit fine tuning:

iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 123 -j DNAT --to 192.168.1.222:123
iptables -I FORWARD -p tcp -d 192.168.1.222 --dport 123 -j ACCEPT