Hi, I'm trying to implement this in Backfire 10.03.1 (rc3), my firewall.user file is as follows:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
LAN=$(uci get network.lan.ipaddr)
WAN=$(ifconfig eth1 | grep inet | awk '{print $2}' | awk -F 'addr:' '{print $2}')
iptables -t nat -A PREROUTING -d $WAN -j zone_wan_prerouting
I've set this up to get the LAN and WAN addresses automatically, so anytime the firewall rules get reloaded, it will always use the current addresses. But this command isn't giving the desired effect.
For example, let's say my WAN address is 10.0.0.1, and my router's LAN address is 192.168.1.1. Right now, my firewall does not allow any connection on port 22 to pass from the WAN side, but with this firewall rule, if I ssh to 10.0.0.1, I can connect to my router, instead of this being blocked.
Also, I have a web server on another machine, if I'm elsewhere on the net, I can http://10.0.0.1, and pull up my web server correctly. If I use the same address from the LAN, I cannot access this server.
Doing a portscan of 10.0.0.1 from a machine on the LAN, I only see ports 22 & 53 being open, neither of these should be visible on the WAN side, and other ports that the firewall has open for the WAN side are not seen.
I'm guessing that the above command still has the packets as appearing to come from the LAN side and not the WAN, so the firewall rules aren't showing the correct ports? Further up this thread was a quote from mbm's posting showing three separate rules to do this, for each port needed. I'm guessing some additional logic is still needed here?
(Last edited by JimWright on 28 Sep 2010, 20:17)