FirewallExample

From DD-WRT Wiki

Jump to: navigation, search

Please edit the following rules under your local editor and cut-and-paste these rules into DD-WRT inside Administration Tab -> Commands -> Command Shell box. Click Save Firewall after you are done.

# ----------------------
#--- IPTABLES START ---
# ----------------------

#
# DEFINES:
LAN_IP=$(nvram get lan_ipaddr)
WAN_IP=$(nvram get wan_ipaddr)

# ---

# Create ALL_ACCEPT chain:
iptables -N ALL_ACCEPT
iptables -P ALL_ACCEPT ACCEPT
# Insert ALL_ACCEPT chain on top of INPUT rules:
iptables -I INPUT -j ALL_ACCEPT

# Create NAT_ACCEPT chain:
iptables -N NAT
iptables -P NAT ACCEPT
# Insert NAT chain on top of INPUT and FORWARD rules:
iptables -I INPUT -j NAT
iptables -I FORWARD -j NAT

# ---

# private subnets (anything FROM these subnets)
iptables -A ALL_ACCEPT -s 192.168.0.0/16 -j ACCEPT

# Allowing any remote IP subnets to access DD-WRT:
iptables -A ALL_ACCEPT -s xxx.xxx.xxx.xxx -j ACCEPT

# ---

# WebAdmin (please disable DD-WRT Remote Access feature from the web interface
# if you are only allowing the above IP's)
iptables -t nat -I PREROUTING -p tcp -d $WAN_IP --dport 8080 -j DNAT --to-destination $LAN_IP:443

# WebAdmin (Allow from all IP's)
#iptables -t nat -I PREROUTING -p tcp -d $WAN_IP --dport 8080 -j DNAT --to $LAN_IP:443
#iptables -I NAT -p tcp -d $WAN_IP --dport 443 -j ACCEPT

# SSH
#iptables -t nat -I PREROUTING -p tcp -m tcp -d $WAN_IP --dport 2122 -j DNAT --to-destination 192.168.1.21:22

# SSH (Allow from all IP's)
#iptables -t nat -I PREROUTING -p tcp -m tcp -d $WAN_IP --dport 2122 -j DNAT --to-destination 192.168.1.21:22
#iptables -I NAT -p tcp -d 192.168.1.21 --dport 22 -j ACCEPT

# ---

# SERVER ssh for servers inside DD-WRT network (you can migrate your rules from
# the DD-WRT Port Forwarding rules here if you are only allowing access from above IP's)
iptables -t nat -I PREROUTING -p tcp -d $WAN_IP --dport 22 -j DNAT --to-destination 10.1.1.30:22
iptables -I NAT -p tcp -d 10.1.1.30 --dport 22 -j ACCEPT

# ---------------------
#--- IPTABLES END ---
# ---------------------