OpenWRT notes: Difference between revisions

From ZS64
Jump to navigationJump to search
Line 89: Line 89:
| Originating from this host.
| Originating from this host.
|}
|}
* The bridge calls the ''filter:FORWARD'' chain for packets traversing the bridge. If you want your wireless devices to be able to talk to the wired ones and vice versa, you need to add a rule to the ''forwarding_rule'' chain:
iptables -A forwarding_lan -m physdev --physdev-is-bridged -j ACCEPT


====''nat'' Table====
====''nat'' Table====

Revision as of 23:09, 18 December 2009

Atheros AR81-Based Products

Hardware Comparison

Vendor Product CPU Flash RAM USB OpenWRT info Comment
Linksys WRT160NL MIPS24Kc AR9132r2 400 MHz 8 MB 32 MB 1 Wiki, Forum
TP-Link WR-841N(D) v5 ? 4 MB 32 MB 0 USB on board but unpopulated, missing DC/DC converter
TP-Link WR-941N(D) v3 MIPS24Kc AR9132r2 400 MHz 4 MB 32 MB 0 USB on board but unpopulated, missing DC/DC converter

TP-Link devices

Updating firmware with mtd

mtd -r write openwrt.bin firmware

IPTables Configuration

This section is specific to OpenWRT in that the kamikaze standard chains are explained. There must be some document in one of the OpenWRT wikis, but I couldn't easily find it.

In addition, I need EBTables in the picture as well, so a few comments on where you'd add layer 2 rules will be included.

Call Graph and Custom Rules

The OpenWRT standard rule set defines a few more or less default actions that you probably will want to keep: do not accept incoming connectins from the WAN interface (except for DHCP/bootp replies), NAT all outgoing traffic, and allow pretty much anything on the LAN interface. If you want to add your own rules to drop or allow additional things, there's a chain specifically for that. To understand which of these chains to add your rules to, look at this call graph. It is helpful to look at one of the EBTables tutorials, for example ebtables/iptables interaction. It contains a good overview of how packets traverse the various points.

mangle Table

OpenWRT does not add any chains to the mangle table. If you want to add custom rules, you can add them to any of the standard chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING).

filter Table

The filter table contains rules that determine whether packets are delivered to their intended destination, or blocked.

Call Graph Applies to packets
INPUT → input_rule Addressed to this host.
INPUT → input → zone_lan → input_lan Addressed to this host, received over the LAN interface.
INPUT → input → zone_wan → input_wan Addressed to this host, received over the WAN interface.
FORWARD → forwarding_rule Addressed to other hosts.
FORWARD → forward → zone_lan_forward → forwarding_lan Addressed to other hosts, received over the LAN interface.
FORWARD → forward → zone_wan_forward → forwarding_wan Addressed to other hosts, received over the LAN interface.
OUTPUT → output_rule Originating from this host.
  • The bridge calls the filter:FORWARD chain for packets traversing the bridge. If you want your wireless devices to be able to talk to the wired ones and vice versa, you need to add a rule to the forwarding_rule chain:
iptables -A forwarding_lan -m physdev --physdev-is-bridged -j ACCEPT

nat Table

The nat table contains rules that modify packets before they are routed or received, and modify them after they've been sent or routed. Typically, the MASQUERADE action is used.

Call Graph Applies to packets
PREROUTING → zone_wan_prerouting → prerouting_wan Just received on the WAN interface.
PREROUTING → zone_lan_prerouting → prerouting_lan Just received on the LAN interface.
PREROUTING → prerouting_rule Just received.
OUTPUT Being transmitted.
POSTROUTING → postrouting_rule About to be transmitted
POSTROUTING → zone_wan_nat About to be transmitted out the WAN interface.

raw Table

The raw table is used to mark packets that should not be tracked by the conntrack module.

Call Graph Applies to packets
PREROUTING → zone_wan_notrack Just received on the WAN interface.
PREROUTING → zone_lan_notrack Just received on the LAN interface.
OUTPUT Being transmitted.

Link List

Building and installing

Configuration

Hardware and software alternatives