Skip to main content

iptables cheats

Can't remember iptables commands and what youre doing? Its easier to modify the default saved configuration instead of trying to write your own ipchains especially if you do not do this on a daily basis.

step 1: find your iptables config file.

Use "locate iptables | more". This should give a listing of anything related to iptables. Normally this should be in the /etc/sysconfig/ directory

step 2: change your rules using vim

centos: /etc/sysconfig/iptables
openwrt: /etc/firewall.user

and run:

centos # /etc/init.d/iptables restart
openwrt(i think) # /etc/init.d/S45firewall restart

The good news is that in most cases now, the default firewall does give an example of a tcp port and udp port. and openwrt gives a commented version on forwarding ports. e.g.

WAN=$(nvram get wan_ifname)
### Port forwarding
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.0.2
iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.0.2 -j ACCEPT

Note that in this case, the port forwarded does not require the port to be open on the WAN interface. As it means that it will accept on the WAN

Alternatively, here's some iptables commands and basics to get you going. This is basically all I know and I managed to survive somewhat.

probably the 2 commonly used tables is nat and filter. By default it is set to filter so when listing existing firewall rules, you only need to do this:

# iptables -L --line

It is important to note that iptables works in a sequencial way, that means it looks at rule 1 before it looks at rule 2. I've recently started using --line which is really vital if you want an easy way to view what you want to insert to where. e.g. iptables -I INPUT 2 -j ACCEPT --dports 22 -p tcp

To view the nat (network address translation) table

# iptables -L -t nat --line

One of the more important entrys for this table is probably the masquerading for network sharing.

# iptables -A POSTROUTING -j MASQUERADE -t nat

I guess it does look intimidating, but it really isn't when it dawns upon you as in how the logic works.

if you have finished using iptables -I to create your rules, use "# iptables-save > /etc/sysconfig/iptables" to make sure your changes are saved.

More examples:

iptables -I RH-Firewall-1-INPUT 8 -p tcp --dport 80 -j ACCEPT

iptables -D RH-Firewall-1-INPUT 9

Comments

Popular posts from this blog

Multiple Broadlink RM mini 3 integration using MQTT

Broadlink now has quite a lot of integration options almost out of the box. If you enable Broadlink IHC, you can directly link it to Alexa by giving the device a unique name.

There is a homebridge plug in for homekit integration but I haven't tried or tested this. https://lprhodes.github.io/slate/

I wanted to put the device in domoticz so I can have more control over what can trigger my broadlink. I decided to use broadlink-mqtt for this, which is a fairly easy method to trigger from any source.

Setup Instructions for broadlink-mqtt

1. git clone https://github.com/eschava/broadlink-mqtt

2. vi /home/pi/broadlink-mqtt/mqtt.conf

3. Update the mqtt.conf file with the device type set as multiple_lookup

device_type = 'multiple_lookup'
mqtt_multiple_subprefix_format = '{type}_{mac_nic}/'
4. Start the python script and check that it started and detected all the RM devices.
Check the log file to see what the IP / MAC addresses are. DEBUG Connected to RM2 Broadlink device at …

Fibaro HCL Virtual Device Slider

How to setup Fibaro home center lite (HCL) slider for virtual devices.

As the Fibaro HCL does not support LUA. The question was how to update the number value of the slider to send to the HTTP string. Thanks to this site which is a really good reference https://www.vesternet.com/resources/application-notes/apnt-88/

The 2 use cases here are;

Sonos HTTP API Volume

To allow for volume control for all Sonos devices, add a virtual device with the IP address for SONOS HTTP API and specify the default port to 5005. Create Slider and put the following text into the string.

GET /volume/_sliderValue_ HTTP/1.10x0D0x0A0x0D0x0A


Domotiz Virtual Devices

GET /json.htm?type=command&param=switchlight&idx=XX&switchcmd=Set%20Level&level=_sliderValue_ HTTP/1.10x0D0x0A0x0D0x0A

Replace XX with the device ID.

Restart Fibaro HCL when it stops working automatically

It seems that the Fibaro HCL seems to hang every now and then. Instead of trying to restart it regularly, which doesn't really work, as it's almost impossible to predict when this will happen.

This method checks that the HCL is actually running and in the event it stops working, trigger a script that will restart it.


1. Get a non Fibaro controlled power plug and scripts to control it.

I used a wifi smart plug, TP-link HS100 and downloaded the scripts from

https://blog.georgovassilis.com/2016/05/07/controlling-the-tp-link-hs100-wi-fi-smart-plug/

2. Create a bash script to restart the Fibaro, e.g. restart_fibaro.sh

#!/bin/bash

ip_addr=
scripts=

$scripts/tplink-smartplug.py -t $ip_addr -c off
sleep 10
$scripts/tplink-smartplug.py -t $ip_addr -c on


3. Create a test global variable in the Fibaro HCL

Go to the variables panel and create a test variable, e.g. Test


4. Add a cron entry to test that the Fibaro API is still working and restart if it's not.

The cron script is scheduled ev…