My pppoa setup does NOT have the NAT option set, because my LAN subnet is internet-addressable. My own internet-facing servers are individually firewalled, so the router firewall is turned off to permit internet access to them.
This firmware has the "Access Control" feature, so I have enabled it. All WAN access is turned off, while LAN Group 1 only has web and ssh services checked. I have NOT defined an IP access list.
I can see that the iptables queues for INPUT and FORWARD both have the ACCEPT policies, confirming that the firewall is not active.
When I try to ping the router's LAN interface from somewhere else on the internet, it works (as I expect).
When I telnet to the routerTech LAN address on port 80 from somewhere else on the internet, I get a connection from the web server. This is NOT what I want to happen - I don't want anyone out there hacking my router's configuration. However, this behaviour sort-of makes sense because my configuration permits internet access to my LAN subnet and the web server is permitted to listen on that interface.
I have played around with the access control setup, and also with the ip filters, but they don't seem to be appropriate to my requirements.
I have coded three simple firewall rules and put them in the environment so they are executed each time the router boots:
Code: Select all
setenv RT_cmd_1 "iptables -A INPUT -s xxx.xxx.xxx.xxx/255.255.255.yyy -j ACCEPT"
setenv RT_cmd_2 "iptables -A INPUT -s 0/0 -p icmp -j ACCEPT"
setenv RT_cmd_3 "iptables -P INPUT DROP"
I looked at the setenv autoexecX.sh mechanism, but couldn't see how to write my own fancy shell script and then store it to flash memory - unless I built my own firmware image.
Do you think my current solution is the best way to achieve my objectives? How many RT_cmd_x environment variables can I assign before I run out? Should I be stacking several iptables commands into one RT_cmd variable? What is the max size of one of these variables?