WikiDevi.Wi-Cat.RU:DD-WRT/FirewallExample

Please edit the following rules under your local editor and cut-and-paste these rules into DD-WRT inside Administration Tab -> Commands -> Command Shell box. Click Save Firewall after you are done.


 * 1) --- IPTABLES START ---
 * 1) --- IPTABLES START ---

LAN_IP=$(nvram get lan_ipaddr) WAN_IP=$(nvram get wan_ipaddr)
 * 1) DEFINES:
 * 1) DEFINES:



iptables -N ALL_ACCEPT iptables -P ALL_ACCEPT ACCEPT iptables -I INPUT -j ALL_ACCEPT
 * 1) Create ALL_ACCEPT chain:
 * 1) Insert ALL_ACCEPT chain on top of INPUT rules:

iptables -N NAT iptables -P NAT ACCEPT iptables -I INPUT -j NAT iptables -I FORWARD -j NAT
 * 1) Create NAT_ACCEPT chain:
 * 1) Insert NAT chain on top of INPUT and FORWARD rules:



iptables -A ALL_ACCEPT -s 192.168.0.0/16 -j ACCEPT
 * 1) private subnets (anything FROM these subnets)

iptables -A ALL_ACCEPT -s xxx.xxx.xxx.xxx -j ACCEPT
 * 1) Allowing any remote IP subnets to access DD-WRT:



iptables -t nat -I PREROUTING -p tcp -d $WAN_IP --dport 8080 -j DNAT --to-destination $LAN_IP:443
 * 1) WebAdmin (please disable DD-WRT Remote Access feature from the web interface
 * 2) if you are only allowing the above IP's)


 * 1) WebAdmin (Allow from all IP's)
 * 2) iptables -t nat -I PREROUTING -p tcp -d $WAN_IP --dport 8080 -j DNAT --to $LAN_IP:443
 * 3) iptables -I NAT -p tcp -d $WAN_IP --dport 443 -j ACCEPT


 * 1) SSH
 * 2) iptables -t nat -I PREROUTING -p tcp -m tcp -d $WAN_IP --dport 2122 -j DNAT --to-destination 192.168.1.21:22


 * 1) SSH (Allow from all IP's)
 * 2) iptables -t nat -I PREROUTING -p tcp -m tcp -d $WAN_IP --dport 2122 -j DNAT --to-destination 192.168.1.21:22
 * 3) iptables -I NAT -p tcp -d 192.168.1.21 --dport 22 -j ACCEPT



iptables -t nat -I PREROUTING -p tcp -d $WAN_IP --dport 22 -j DNAT --to-destination 10.1.1.30:22 iptables -I NAT -p tcp -d 10.1.1.30 --dport 22 -j ACCEPT
 * 1) SERVER ssh for servers inside DD-WRT network (you can migrate your rules from
 * 2) the DD-WRT Port Forwarding rules here if you are only allowing access from above IP's)


 * 1) --- IPTABLES END ---
 * 1) --- IPTABLES END ---