1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Firewall wide open?

Discussion in 'Tomato Firmware' started by ripat, May 30, 2007.

  1. ripat

    ripat LI Guru Member

    Hi all,

    As a new user of Tomato 1.07, I read the tomato's FAQ that says:
    but when I do a iptables -L, the default INPUT chain shows:
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    DROP       0    --  anywhere             anywhere            state INVALID
    ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     0    --  anywhere             anywhere
    ACCEPT     0    --  anywhere             anywhere
    The two last lines look quite open to me.

    If I add a iptables script with a more restrictive rule, that rule will be placed at the end of the INPUT chain with, of course, no effect as the ACCEPT ... anywhere ... anywhere rule will let the IP packet go through and won't go any further.

    I noticed it looking at the firewall log of a server placed behind the WRT54GL that started logging inbound IP packets that were normaly blocked by my previous router (D-Ling 624).

    Where is the master default iptable file?
     
  2. ripat

    ripat LI Guru Member

    Ok, figured out how to change the default netfilter rules by deleting the default INPUT chain rules.
    Code:
    iptables -D INPUT -i lo -j ACCEPT
    iptables -D INPUT -i br0 -j ACCEPT
    
    I will then add my rules for that chain in the iptables script. But I am still wondering how the filter tables are loaded at boot up. From what file.

    Thanks for any possible input.
     
  3. ntest7

    ntest7 Network Guru Member

    I add my custom rules to either the wanin or wanout chains as appropriate, using the administration/scripts/firewall page of the GUI.

    Default rules are created by a combination of hardcoded stuff in the firmware and nvram variables. There isn't a default file as you might find on a standalone linux system.
     

Share This Page