Casey Tucker wrote:
Rick Reynolds wrote:
I'm doing nearly the same thing: WRT54GS router, but I'm running
the DD-WRT distro on it. It has the ability to do what you're
talking about, namely mount an NFS partition at boot time and then
read firewalling rules from a file on the NFS partition.
I found a HOWTO on a blog out there showing me how to set this up,
but then I figured out a slightly better way to do it.
But it's certainly possible with DD-WRT without having to reinvent
that wheel...
Thanks,
Rick Reynolds
Could you please provide me with some information as to how that was
accomplished -- the NFS mount on DD-WRT specifically. I'm having some
trouble finding any info on that.
Thanks!
-Casey
I agree that this seems to be a black art at this point. There isn't
enough documentation on DD-WRT.
Here are the steps I did:
1. Under the Administration tab, enable SMBFS. Point it to a share on a
samba server on your network (for me it is [IPADDR]/fileserver). Create
and enable a new user on the samba server and enter its username and
password (this probably isn't strictly necessary, but I think it's a
good idea). You don't need to worry about Startscript (it didn't seem
to work correctly for me on DD-WRT v23).
With this in place, the router will samba mount that share and it will
appear under /tmp/smbshare in the router's filesystem.
2. Place a set of firewalling rules (iptables commands in a bash script
-- I used fwbuilder to make mine) in the shared directory on the samba
server. Make sure the script is executable.
3. Login as root to the router (you do have ssh enabled, right?) and
issue the following command to set a variable in the router's nvram:
# nvram set rc_firewall="/tmp/smbshare/[firewall rules script name]"
You can check this value later via
# nvram get rc_firewall
From what I can tell, rc_firewall is one of two special nvram variables
that you can set (the other allows pointing to a script to be run at
startup time). DD-WRT will execute whatever is in this variable during
bootup when it is time to apply the firewalling rules.
4. Reboot the router, login as root again and make sure the samba mount
is active (# mount) and that your new firewalling rules are enabled (#
iptables -L). The system starts with a default set of iptables rules,
so you'll need to look at the output just a bit to make sure you're
seeing your rules.
That's about it. The HOWTO blog article I referred to above
(http://www.sns.ias.edu/~jns/wp/2006/03/24/iptables-on-a-linksys-cisco-wrt54gl-broadband-router-howto/)
was very helpful, but it talks about enabling JFFS and remounting the
samba share onto /jffs. It isn't necessary. You can just grab the
firewalling rules out of /tmp/smbshare.
Now, if you want to install the "mini" version of DD-WRT, I believe you
can put the firewalling rules right into nvram and not have to point to
a samba share. But that makes changing the rules that much harder, of
course. Another thing to consider: it seems to me that the samba
sharing doesn't work 100% of the time. Sometimes when I've suffered a
power hit, I've found that the firewall rules aren't in place. I login
to the router and check, and it is because the samba mount never got
mounted. Rebooting the router again at that point usually clears that
right up. I don't know why it isn't more deterministic. To combat
that, I now have my router (and the fileserver that shares out the
ruleset) protected by a UPS.
I hope that's helpful.
Thanks,
Rick Reynolds
--
If you're a mad scientist, you can use GPLv2'd software for your evil
plans to take over the world ('Sharks with lasers on their heads!!'),
and the GPLv2 just says that you have to give source code back. And
that's OK by me. I like sharks with lasers. I just want the mad
scientists of the world to pay me back in kind. -- Linus Torvalds
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
