Hello everyone
I have set up two port forwarding rules for my raspberry so that it can renew a letsencrypt certificate once a month, now I want to make sure that the ports in question are not always active, but are only active when the raspberry needs to renew the certificate, so far I have activated and deactivated the two rules manually, but if I wanted to automate the thing with crond how should I do it?
dport 80 socket wildcard 1 accept.
I don't really understand how to do it exactly, I've never used crond
In /etc/config/firewall I have this:
config redirect
option dest_port '80'
option enabled '0'
option src 'wan'
option dest 'lan'
option src_dport '80'
option proto 'tcp udp'
option name 'GL-Certbot'
option dest_ip '192.168.1.5'
option idx '4'
Let's say I want the port to open for 1 minute on the 26th of every month.
What should I put in the crontab?
dport 80 socket wildcard 4 accept ? If so, how do I specify the day and time?
socket opens port when someone listens, no schedule needed.
1 Like
So I have to delete the rule created by luci and write in the crontab only 'dport 80 socket wildcard 1 accept'
right?
Please show
ubus call system board
I dont understand your topology. Since you mention raspberry ...
Id suggest pre/post script for certbot to enable/disable forward rule and reliading firewall using ssh+uci
1 Like
How do you do it? I'm pretty new to openwrt and there are still a lot of things I don't know.
What is the uci command to enable/disable a specific port forward rule?
You should put this:
0 8 26 * * /usr/sbin/nft insert rule inet fw4 dstnat_wan tcp dport 80 dnat ip to 192.168.1.5:80 >/dev/null 2>&1
1 8 26 * * /sbin/fw4 restart >/dev/null 2>&1
The rule will be active on the 26th of every month at 8:00 AM and disabled one minute later. Set the time according to your needs.
This confuses me. Could you explain what it is and where it came from?
1 Like
I suspect its glinet fw with foolcone firewall
1 Like
I was thinking of simplifying this by doing port triggering, is it possible to do this from here?
Or is it wrong?
I was actually thinking of setting a rule here, with the port i need on "accept" and setting a "Time Restrictions" to open the port only during that time.
Is this feasible?
Your rule is in port forwards tab
Ok I think I solved it like this:
After giving the command "uci show firewall"
Enable/Disable Certbot HTTP port forward rule
0 15 25 * * /sbin/uci set firewall.@redirect[3].enabled='1'
1 15 25 * * /sbin/uci set firewall.@redirect[3].enabled='0'
Enable/Disable Certbot HTTPS port forward rule
0 15 25 * * /sbin/uci set firewall.@redirect[4].enabled='1'
1 15 25 * * /sbin/uci set firewall.@redirect[4].enabled='0'
It seems to work
I then modified the raspberry crontab accordingly to run certbot renew at the same time the router activates forwarding.
2 Likes
You need only port 80 for certbot. Tcp. It tries to fetch challenge file to assert your control of the webserver at particular dns name.
I'm also using 443 because I remember that without it certbot gave an error and did not renew the certificate
You must reload the firewall service after enabling/disabling the rule(s).
1 Like
Is this okay?
0 15 25 * * /sbin/uci set firewall.@redirect[3].enabled='1'
0 15 25 * * /sbin/uci set firewall.@redirect[4].enabled='1'
0 15 25 * * /sbin/fw4 restart
1 15 25 * * /sbin/uci set firewall.@redirect[3].enabled='0'
1 15 25 * * /sbin/uci set firewall.@redirect[4].enabled='0'
1 15 25 * * /sbin/fw4 restart
In this case, you can reload rather than restart the service.
0 15 25 * * /sbin/uci set firewall.@redirect[3].enabled='1'; /sbin/uci set firewall.@redirect[4].enabled='1'; /sbin/fw4 reload
1 15 25 * * /sbin/uci set firewall.@redirect[3].enabled='0'; /sbin/uci set firewall.@redirect[4].enabled='0'; /sbin/fw4 reload
2 Likes
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.