精华内容
下载资源
问答
  • Openwrt 修改Web页面默认访问端口

    万次阅读 2019-10-23 17:06:04
    openwrt如何简单隐藏Web页面 路由器刷入openwrt并且启用了Web页面(一般是Luci),将路由任一LAN口与电脑连接(IP自动获取),一般只需要浏览器输入LAN口的IP地址后就可以访问路由器的... 如果修改openwrt默认的h...

     

    openwrt如何简单隐藏Web页面

    • 路由器刷入openwrt并且启用了Web页面(一般是Luci),将路由任一LAN口与电脑连接(IP自动获取),一般只需要浏览器输入LAN口的IP地址后就可以访问路由器的Web页面,如浏览器打开后直接输入:192.168.1.1
    • 浏览器http默认为80端口,故实际访问为:http://192.168.1.1:80/
    • 如果修改了openwrt默认的http监听端口号80,那么就不能直接输入:192.168.1.1来访问Web页面,如将默认监听端口修改为8080,则需要输入IP的同时制定端口号才能正确访问openwrt的Web页面,如:http://192.168.1.1:8080/
    • 这样修改了默认监听端口号后,就可以一定程度的隐藏web端,不让普通用户访问(当然还可设置web访问密码);需要修改配置的时候管理员依然可以使用Web页面去配置路由。

    80端口是为HTTP(HyperText Transport Protocol)即超文本传输协议开放的,此为上网冲浪使用次数最多的协议,主要用于WWW(World Wide Web)即万维网传输信息的协议。

    可以通过HTTP地址(即常说的“网址”)加“: 80”来访问网站,因为浏览网页服务默认的端口号都是80,因此只需输入网址即可,不用输入“: 80”了。

    Openwrt 修改Web页面默认访问端口大致步骤如下:

    1. 使用​​​​串口或者SSH登录openwrt后台;
    2. openwrt 中默认使用的web服务器是uhttpd,
    3. 进入配置文件路径:cd etc/config/
    4.  使用vim编辑器修改uhttpd文件 vi uhttpd 

    使用串口连接电脑后进入openwrt

    BusyBox v1.28.3 () built-in shell (ash)
    
      _______                     ________        __
     |       |.-----.-----.-----.|  |  |  |.----.|  |_
     |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
     |_______||   __|_____|__|__||________||__|  |____|
              |__| W I R E L E S S   F R E E D O M
     -----------------------------------------------------
     OpenWrt 18.06-SNAPSHOT, r7201-4f3082583a
     -----------------------------------------------------
    root@OpenWrt:/# 

    vim编辑器打开uhttpd 文件

    # Server configuration
    config uhttpd main
    
            # HTTP listen addresses, multiple allowed
            list listen_http        0.0.0.0:80
            list listen_http        [::]:80
    
            # HTTPS listen addresses, multiple allowed
            list listen_https       0.0.0.0:443
            list listen_https       [::]:443
    
            # Redirect HTTP requests to HTTPS if possible
            option redirect_https   1
    
            # Server document root
            option home             /www
    
            # Reject requests from RFC1918 IP addresses
            # directed to the servers public IP(s).
            # This is a DNS rebinding countermeasure.
            option rfc1918_filter 1
    
            # Maximum number of concurrent requests.
            # If this number is exceeded, further requests are
            # queued until the number of running requests drops
            # below the limit again.
            option max_requests 3
    
            # Maximum number of concurrent connections.
            # If this number is exceeded, further TCP connection
            # attempts are queued until the number of active
            # connections drops below the limit again.
            option max_connections 100
    
            # Certificate and private key for HTTPS.
            # If no listen_https addresses are given,
            # the key options are ignored.
            option cert             /etc/uhttpd.crt
            option key              /etc/uhttpd.key
    
            # CGI url prefix, will be searched in docroot.
            # Default is /cgi-bin
            option cgi_prefix       /cgi-bin
    
            # List of extension->interpreter mappings.
            # Files with an associated interpreter can
            # be called outside of the CGI prefix and do
            # not need to be executable.


    • 修改完成后保存(:wq)
    • 重启uhttpd(或重启路由器root@OpenWrt:/# etc/init.d/uhttpd restart(# reboot)
    • 使用新的端口登录web端,如:http://192.168.1.1:8080/

    另外,openwrt的官网有说明,默认情况下uHTTPd绑定的端口也包含WAN口,如果要指定只包含LAN口的话可以按照下图步骤设置。

     

    By default, uHTTPd is bind to 0.0.0.0 which also includes the WAN port of your router. To bind uHTTPd to the LAN port only you have to change the listen_http and listen_https options to your LAN IP address.

    To get your current LAN IP address run this command:

    # uci get network.lan.ipaddr
    192.168.1.1

    Then edit /etc/config/uhttpd and bind listen_http to specific 192.168.1.1 IP instead of 0.0.0.0 and comment out IPv6 bindings:

    config uhttpd main
            # HTTP listen addresses, multiple allowed
            list listen_http        192.168.1.1:80
    #       list listen_http        [::]:80
     
            # HTTPS listen addresses, multiple allowed
            list listen_https       192.168.1.1:443
    #       list listen_https       [::]:443
    展开全文
  • 那么在openwrt中可以这样设置 点击添加,然后在上面找到点击修改 注意这里,将布置有服务的内网机器MAC地址选择上。 比如我的是在这里部署的nextcloud 选择,保存并应用即可。 然后使用你自己的公网IP或者已经...

    **
    只需要在设置端口转发时候,将对应的内网网卡的MAC地址赋值为源地址即可**

    方法1:在设置防火墙的这里:点击wan的修改
    在这里插入图片描述
    设置如下图:
    在这里插入图片描述

    方法2:

    比如: 我在家里内网的一台主机上布置了一个Nextcloud服务,端口设置为88端口
    那么通过http://localhost:88 是可以访问到的。
    那么在openwrt中可以这样设置
    在这里插入图片描述
    点击添加,然后在上面找到点击修改
    在这里插入图片描述
    注意这里,将布置有服务的内网机器MAC地址选择上。
    在这里插入图片描述
    比如我的是在这里部署的nextcloud
    在这里插入图片描述
    选择,保存并应用即可。

    然后使用你自己的公网IP或者已经解析好的域名加上你设置的端口号就可以了。
    在这里插入图片描述

    如果要一次映射很多的端口比如要81-1000的端口都映射上
    在设置的时候 就这样写 81-1000

    展开全文
  • openwrt如何修改ssh 密码和端口

    千次阅读 2019-03-20 15:47:17
    1.修改ssh 密码 passwd 输入两边新密码,即可,注意这里不会校验旧密码 ! 111111 111111 2.修改端口 uci set dropbear.@dropbear[0].Port=2222 uci commit dropbear /etc/init.d/dropbear reload ...

    1.修改ssh 密码

    passwd
    输入两遍新密码,即可,注意这里不会校验旧密码 !
    111111
    111111

    2.修改端口

    uci set dropbear.@dropbear[0].Port=2222
    uci commit dropbear
    /etc/init.d/dropbear reload

    展开全文
  • Openwrt修改防火墙规则

    万次阅读 2019-07-08 18:48:09
    本文翻译自 OpenWrt WIKI 防火墙配置/etc/config/firewall openwrt 的防火墙管理...本文主要关注配置文件和其内容,LUCI和UCI是用户抽象,最终也是修改的配置文件。 管理 主要的防火墙配置文件是/etc/config/fi...

    本文翻译自 OpenWrt WIKI

    目录

    防火墙配置 /etc/config/firewall

    管理

    WebUI

    CLI

    配置部分

    Defaults

    Includes

    Redirects

    Zones

    Forwardings

    Rules

    Routing

    IP Sets

    IPv6

    SNAT


    防火墙配置 /etc/config/firewall

    openwrt 的防火墙管理应用fw3有三种配置机制:

    配置文件:

    • /etc/firewall.user
    • /etc/config/firewall

    本文主要关注配置文件和其内容,LUCI和UCI是用户抽象,最终也是修改的配置文件。

    管理

    • 主要的防火墙配置文件是/etc/config/firewall, 编辑该文件修改防火墙设置。
      • 修改之前先备份
      • 一旦修改设置之后,确认无误后,通过/etc/init.d/firwwall reload重载防火墙(使用fw3 reload指令更简单,并且会检查配置文件是否有错误。
    • 任何第一个字符是#的行都不会解析,用作注释
    • UCI在/etc/config/firewall中的防火墙配置包含网络过滤规则的部分合理子集,但并不是全部。
    • 尽可能的使用fw3防火墙UCI配置。有一些场景必须要用iptables,参见Netfilter in OpenWrt

    WebUI

    LuCI是一种很好的观察和修改防火墙配置的机制。

    • 它在Network --> Firewall 并且紧密映射到配置文件部分。
    • 修改防火墙配置它会花费多一些时间,但是它却比配置文件具有更高的组织结构。

    修改参数和重载使用保存&应用按钮.

    • LUCI会移除/etc/config/firewall所有的注释[#]行。

    CLI

    UCI是配置文件的一种低级抽象,其可用远程通过ssh接触。

    uci add firewall rule
    uci set firewall.@rule[-1].target='REJECT'
    uci set firewall.@rule[-1].proto='tcp udp icmp'
    uci set firewall.@rule[-1].src='vpn'
    uci set firewall.@rule[-1].dest='lan'
    uci set firewall.@rule[-1].name='Reject All VPN -> LAN Traffic'
    uci commit firewall
    service firewall restart
    

    这将会假定最后一条规则是VPN --> LAN转发链,所有从VPN来的包都会被拒绝。
    显示防火墙配置:

    # uci show firewall
    firewall.@rule[20]=rule
    firewall.@rule[20].target='REJECT'
    firewall.@rule[20].proto='tcp udp icmp'
    firewall.@rule[20].src='wan'
    firewall.@rule[20].dest='lan'
    firewall.@rule[20].name='Reject All VPN -> LAN Traffic'
    

    UCI用来查看防火墙配置非常方便,但是因为以下几个原因一般不用做来修改配置

    • 必须要熟悉防火墙规则才能使规则数组工作。
    • uci不识别/etc/firewall.user脚本中的内容。
    • uci commit是保存配置所必需的,但是依旧需要调用/etc/init.d/firewall reload去重载新表

    配置部分

    以下是被定义的防火墙配置概览:

    • 路由器的一个最小的配置通常包含一些默认部分,至少有两块(lan和wan)和一个允许从lan到wan的转发。

      • 当不超过两个区域时,转发部分不是必要的,因为可以将该规则设置为该区域的“全局缺省”。

    Defaults

    defaults(默认)节的声明是全局的防火墙设置声明,不属于某一个特定节。

    config defaults
        option  input                 'ACCEPT'
        option  output                'ACCEPT'
        option  forward               'REJECT'
        option  custom_chains         '1'
        option  drop_invalid          '1'
        option  syn_flood             '1'
        option  synflood_burst        '50'
        option  synflood_protect      '1'
        option  tcp_ecn               '1'
        option  tcp_syncookies        '1'
        option  tcp_window_scaling    '1'

    Options

    NameTypeRequiredDefaultDescription
    inputstringnoREJECTSet policy for the INPUT chain of the filter table.
    forwardstringnoREJECTSet policy for the FORWARD chain of the filter table.
    outputstringnoREJECTSet policy for the OUTPUT chain of the filter table.
    drop_invalidbooleanno0Drop invalid packets (e.g. not matching any active connection).
    syn_floodbooleanno0Enable SYN flood protection (obsoleted by synflood_protect setting).
    synflood_protectbooleanno0Enable SYN flood protection.
    synflood_ratestringno25Set rate limit (packets/second) for SYN packets above which the traffic is considered a flood.
    synflood_burststringno50Set burst limit for SYN packets above which the traffic is considered a flood if it exceeds the allowed rate.
    tcp_syncookiesbooleanno1Enable the use of SYN cookies.
    tcp_ecnbooleanno0Enable/Disable Explicit Congestion Notification. Implemented upstream in Linux Kernel. See ip-sysctl.txt.
    tcp_window_scalingbooleanno1Enable TCP window scaling.
    accept_redirectsbooleanno0Accepts redirects. Implemented upstream in Linux Kernel. See ip-sysctl.txt.
    accept_source_routebooleanno0Implemented upstream in Linux Kernel. See ip-sysctl.txt.
    custom_chainsbooleanno1Enable generation of custom rule chain hooks for user generated rules. User rules would be typically stored in firewall.user but some packages e.g. BCP38 also make use of these hooks.
    disable_ipv6booleanno0Disable IPv6 firewall rules.
    flow_offloadingbooleanno0Enable software flow offloading for connections. (decrease cpu load / increase routing throughput)
    flow_offloading_hwbooleanno0Enable hardware flow offloading for connections. (depends on flow_offloading and hw capability)
    tcp_reject_codereject_codeno0Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed)
    any_reject_codereject_codeno1Defined in firewall3/options.h. Seems to determine method of packet rejection; (tcp reset, or drop, vs ICMP Destination Unreachable, or closed)
    auto-helperboolnoFIXMEFIXME

    Includes

    可以通过在防火墙配置中指定一个或多个包含部分来包含自定义的防火墙脚本:

    config include
    option path '/etc/firewall.user'

    • 脚本/etc/firewall.user 默认为空.

    Options

    NameTypeRequiredDefaultDescription
    enabledbooleanno1Allows to disable the corresponding include without having to delete the section
    typestringnoscriptSpecifies the type of the include, can be script for traditional shell script includes or restore for plain files in iptables-restore format
    pathfile nameyes/etc/firewall.userSpecifies a shell script to execute on boot or firewall restarts
    familystringnoanySpecifies the address family (ipv4ipv6 or any) for which the include is called
    reloadbooleanno0Specifies whether the include should be called on reload - this is only needed if the include injects rules into internal chains

    包含的类型脚本可以包含任意命令,例如高级iptables规则或流量控制所需的tc命令。

    • :!: 由于自定义iptables规则比通用规则更具体,所以必须确保使用-I (insert)而不是-A (append),这样自定义规则就会出现在默认规则之前。

    • :!: 如果规则存在于iptables中,则不会重新添加它。标准的iptables -I或-A将添加一个重复的规则。

    Example

    以下是/etc/firewall.user脚本的示例,该脚本允许CloudFlare.com访问HTTP 80和HTTPS 443端口。 如果您的uhttpd隐藏在CF代理后面,请使用。

    # Replace the ips-v4 with v6 if needed
    for ip in `wget -qO- http://www.cloudflare.com/ips-v4`; doo
      iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
    done

    NOTE: 它使用HTTP获取ip列表,因为要通过https获取wget,我们需要安装ca-certs。这使您容易受到MiTM攻击,但这是可以让你免于互联网黑客的攻击。

    Redirects

    端口转发(DNAT)在 redirect节被定义。端口重定向通常也称为端口转发或虚拟服务器。

    • 与给定规则匹配的指定源区域上的所有传入流量将被定向到指定的内部主机。

    • 端口范围被指定为start:stop,例如6666:6670(类似于iptables语法)。

    Destination NAT

    config redirect
        option  target      'DNAT'
        option  proto       'tcp'
        option  src         'wan'
        option  src_dport   '19900'
        option  dest        'lan'
        option  dest_port   '22'
        option  dest_ip     '192.168.1.1'
        option  name        'Allow Redirect WAN -> LAN (SSH)'

    :!: 如果配置节中没有包含src_dport,则在任意端口上与其他配置选项匹配的包将被转发到该配置节中指定的目标端口。这可能会对在config部分打开的目标端口上运行的应用程序造成安全风险。测试这个问题的一种方法是使用 Gibson Research Corporation的ShieldsUP!服务,并探测路由器上所需的端口。 响应可以是打开,关闭或隐身(丢弃)。 在打开或关闭端口的情况下,数据包到达目标主机,并向后发送确认/回复数据包。隐藏的端口丢弃数据包; 从探测系统(Gibson Research)的角度来看,该系统无法确切地知道那些数据包是否到达目标主机。

    Source NAT

    Masquerade是最常见的SNAT形式,它将流量源从WAN更改为路由器的公共IP。SNAT也可以手工完成:

    config redirect
        option  target      'SNAT'
        option  proto       'icmp'
        option  src         'dmz'
        option  src_ip      '192.168.1.250'
        option  src_dip     '1.2.3.4'
        option  dest        'wan'
        option  name        'SNAT: DMZ ICMP 192.168.1.250 -> 1.2.3.4'

    Options

    NameTypeRequiredDefaultDescription
    namestringnostringName of redirect
    srczone nameyes for DNATtarget(none)Specifies the traffic source zone. Must refer to one of the defined zone names. For typical port forwards this usually is wan.
    src_ipip addressno(none)Match incoming traffic from the specified source ip address.
    src_dipip addressyes for SNATtarget(none)For DNAT, match incoming traffic directed at the given destination ip address. For SNAT rewrite the source address to the given address.
    src_macmac addressno(none)Match incoming traffic from the specified mac address.
    src_portport or rangeno(none)Match incoming traffic originating from the given source port or port range on the client host.
    src_dportport or rangeno(none)For DNAT, match incoming traffic directed at the given destination port or port range on this host. For SNATrewrite the source ports to the given value.
    protoprotocol name or numbernotcpudpMatch incoming traffic using the given protocol.
    destzone nameyes for SNATtarget(none)Specifies the traffic destination zone. Must refer to one of the defined zone names. For DNAT target on Attitude Adjustment, NAT reflection works only if this is equal to lan.
    dest_ipip addressyes for DNATtarget(none)For DNAT, redirect matched incoming traffic to the specified internal host. For SNAT, match traffic directed at the given address. For DNAT if the dest_ip value matches the local ip addresses of the router, as shown in the ifconfig, then the rule is translated in a DNAT + input 'accept' rule. Otherwise it is a DNAT + forward rule.
    dest_portport or rangeno(none)For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. Only a single port or range can be specified, not disparate ports as with Rules (below).
    ipsetstringno(none)If specified, match traffic against the given ipset. The match can be inverted by prefixing the value with an exclamation mark.
    markstringno(none)If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10to match all but mark #16.
    start_datedate (yyyy-mm-dd)no(always)If specifed, only match traffic after the given date (inclusive).
    stop_datedate (yyyy-mm-dd)no(always)If specified, only match traffic before the given date (inclusive).
    start_timetime (hh:mm:ss)no(always)If specified, only match traffic after the given time of day (inclusive).
    stop_timetime (hh:mm:ss)no(always)If specified, only match traffic before the given time of day (inclusive).
    weekdayslist of weekdaysno(always)If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on Sundays, Mondays, Thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays.
    monthdayslist of datesno(always)If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.
    utc_timebooleanno0Treat all given time values as UTC time instead of local time.
    targetstringnoDNATNAT target (DNAT or SNAT) to use when generating the rule.
    familystringnoanyProtocol family (ipv4ipv6 or any) to generate iptables rules for.
    reflectionbooleanno1Activate NAT reflection for this redirect - applicable to DNAT targets.
    reflection_srcstringnointernalThe source address to use for NAT-reflected packets if reflection is 1. This can be internal or external, specifying which interface’s address to use. Applicable to DNAT targets.
    limitstringno(none)Maximum average matching rate; specified as a number, with an optional /second/minute/hour or /daysuffix. Examples: 3/second3/sec or 3/s.
    limit_burstintegerno5Maximum initial number of packets to match, allowing a short-term average above limit.
    enabledstringno1 or yesEnable the redirect rule or not.
    helpercthelpernoFIXMEFIXME

    Zones

    zone section groups one or more interfaces and serves as a source or destination for forwardingsrules and redirects.

    config zone
        option  name        'wan'
        option  network     'wan wan6'
        option  input       'REJECT'
        option  output      'ACCEPT'
        option  forward     'REJECT'
        option  masq        '1'
        option  mtu_fix     '1'
    • MASQUERADE (NAT) of outgoing traffic (WAN) is controlled on a per-zone basis on the outgoing interface.
       

    • INPUT rules for a zone describe what happens to traffic trying to reach the router itself through an interface in that zone.

    • OUTPUT rules for a zone describe what happens to traffic originating from the router itself going through an interface in that zone.

    • FORWARD rules for a zone describe what happens to traffic passing between different interfaces belonging in the same zone.

    Options

    NameTypeRequiredDefaultDescription
    namezone nameyes(none)Unique zone name. 11 characters is the maximum working firewall zone name length.
    networklistno(none)List of interfaces attached to this zone. If omitted and neither extra* options, subnets nor devices are given, the value of name is used by default. Alias interfaces defined in the network config cannot be used as valid 'standalone' networks. Use list syntax .
    masqbooleanno0Specifies whether outgoing zone traffic should be masqueraded. This is typically enabled on the wan zone.
    masq_srclist of subnetsno0.0.0.0/0Limit masquerading to the given source subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.
    masq_destlist of subnetsno0.0.0.0/0Limit masquerading to the given destination subnets. Negation is possible by prefixing the subnet with !; multiple subnets are allowed.
    masq_allow_invalidbooleanno0Do not add DROP INVALID rules, if masquerading is used. The DROP rules are supposed to prevent NATleakage (see commit in firewall3).
    mtu_fixbooleanno0Enable MSS clamping for outgoing zone traffic.
    inputstringnoDROPDefault policy (ACCEPTREJECTDROP) for incoming zone traffic.
    forwardstringnoDROPDefault policy (ACCEPTREJECTDROP) for forwarded zone traffic.
    outputstringnoDROPDefault policy (ACCEPTREJECTDROP) for outgoing zone traffic.
    familystringnoanyThe protocol family (ipv4ipv6 or any) these iptables rules are for.
    logintno0Bit field to enable logging in the filter and/or mangle tables, bit 0 = filter, bit 1 = mangle. (Since r6397-7cc9914aae)
    log_limitstringno10/minuteLimits the amount of log messages per interval.
    devicelistno(none)List of raw network device names attached to this zone, e.g. ppp+ to match any PPP interface.
    subnetlistno(none)List of IP subnets attached to this zone.
    extrastringno(none)Extra arguments passed directly to iptables. Note that these options are passed to both source and destination classification rules, therefor direction-specific options like --dport should not be used here - in this case the extra_src and extra_dest options should be used instead.
    extra_srcstringnoValue of extraExtra arguments passed directly to iptables for source classification rules.
    extra_deststringnoValue of extraExtra arguments passed directly to iptables for destination classification rules.
    custom-chainsboolnoFIXMEFIXME
    enabledboolnoyesif set to 0, zone is disabled
    auto_helperboolnoFIXMEFIXME
    helpercthelpernoFIXMEFIXME

    Forwardings

    The forwarding sections control the traffic flow between zones, and may enable MSS clamping for specific directions.

    config forwarding
        option  src         'lan'
        option  dest        'wan'
    • Only one direction is covered by a forwarding rule. To allow bidirectional traffic flows between two zones, two forwardings are required, with src and dest reversed in each.

    Options

    NameTypeRequiredDefaultDescription
    nameforward nameno(none)Unique forwarding name.
    srczone nameyes(none)Specifies the traffic source zone. Must refer to one of the defined zone names. For typical port forwards this usually is 'wan'.
    destzone nameyes(none)Specifies the traffic destination zone. Must refer to one of the defined zone names
    mtu_fixbooleanno0Enable MSS clamping for traffic flowing from the source zone to the destination zone (Deprecated and moved to zonesections in 8.09.2+)
    familystringnoanyProtocol family (ipv4ipv6 or any) to generate iptables rules for.
    enabledboolnoyesif set to 0, forward is disabled

    :!: The iptables rules generated for this section rely on the state match which needs connection tracking to work.

    • At least one of the src or dest zones needs to have connection tracking enabled through the masq option.

    Rules

    The rule section is used to define basic accept, drop, or reject rules to allow or restrict access to specific ports or hosts.

    config rule
        option  target      'REJECT'
        option  proto       'tcp'
        option  src         'lan'
        option  src_ip      '192.168.1.2'
        option  src_mac     '00:11:22:33:44:55'
        option  src_port    '80'
        option  dest        'wan'
        option  dest_ip     '194.25.2.129'
        option  dest_port   '120'
    • In fw3, the src and dest are tied to the target:

      • If src and dest are given, the rule matches forwarded traffic

      • If only src is given, the rule matches incoming traffic

      • If only dest is given, the rule matches outgoing traffic

      • If neither src nor dest are given, the rule defaults to an outgoing traffic rule
         

    • Port ranges are specified as start:stop, for instance 6666:6670 (similar to the iptables syntax).

    Options

    NameTypeRequiredDefaultDescription
    namestringno(none)Name of rule
    srczone nameyes (:!: optional since Firewall v2, version 58 and above)(none)Specifies the traffic source zone. Must refer to one of the defined zone names.
    src_ipip addressno(none)Match incoming traffic from the specified source ip address
    src_macmac addressno(none)Match incoming traffic from the specified mac address
    src_portport or rangeno(none)Match incoming traffic from the specified source port or port range, if relevant proto is specified. Multiple ports can be specified like '80 443 465' 1.
    protoprotocol name or numbernotcpudpMatch incoming traffic using the given protocol. Can be one of tcpudptcpudpudpliteicmpespahsctp, or all or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. The number 0 is equivalent to all.
    icmp_typelist of type names or numbersnoanyFor protocol icmp select specific icmp types to match. Values can be either exact icmp type numbers or type names (see below).
    destzone nameno(none)Specifies the traffic destination zone. Must refer to one of the defined zone names, or * for any zone. If specified, the rule applies to forwarded traffic; otherwise, it is treated as input rule.
    dest_ipip addressno(none)Match incoming traffic directed to the specified destination ip address. With no dest zone, this is treated as an input rule!
    dest_portport or rangeno(none)Match incoming traffic directed at the given destination port or port range, if relevant proto is specified. Multiple ports can be specified like '80 443 465' 1.
    ipsetstringno(none)If specified, match traffic against the given ipset. The match can be inverted by prefixing the value with an exclamation mark. You can specify the direction as 'setname src' or 'setname dest'.
    markmark/maskno(none)If specified, match traffic against the given firewall mark, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value. The match can be inverted by prefixing the value with an exclamation mark, e.g. !0x10 to match all but mark #16.
    start_datedate (yyyy-mm-dd)no(always)If specifed, only match traffic after the given date (inclusive).
    stop_datedate (yyyy-mm-dd)no(always)If specified, only match traffic before the given date (inclusive).
    start_timetime (hh:mm:ss)no(always)If specified, only match traffic after the given time of day (inclusive).
    stop_timetime (hh:mm:ss)no(always)If specified, only match traffic before the given time of day (inclusive).
    weekdayslist of weekdaysno(always)If specified, only match traffic during the given week days, e.g. sun mon thu fri to only match on sundays, mondays, thursdays and Fridays. The list can be inverted by prefixing it with an exclamation mark, e.g. ! sat sun to always match but on Saturdays and sundays.
    monthdayslist of datesno(always)If specified, only match traffic during the given days of the month, e.g. 2 5 30 to only match on every 2nd, 5th and 30rd day of the month. The list can be inverted by prefixing it with an exclamation mark, e.g. ! 31 to always match but on the 31st of the month.
    utc_timebooleanno0Treat all given time values as UTC time instead of local time.
    targetstringyesDROPFirewall action (ACCEPTREJECTDROPMARKNOTRACK) for matched traffic
    set_markmark/maskyes for target MARK(none)Zeroes out the bits given by mask and ORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed
    set_xmarkZeroes out the bits given by mask and XORs value into the packet mark. If mask is omitted, 0xFFFFFFFF is assumed
    familystringnoanyProtocol family (ipv4ipv6 or any) to generate iptables rules for.
    limitstringno(none)Maximum average matching rate; specified as a number, with an optional /second/minute/hour or /day suffix. Examples: 3/minute3/min or 3/m.
    limit_burstintegerno5Maximum initial number of packets to match, allowing a short-term average above limit
    extrastringno(none)Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as -m policy --dir in for IPsec.
    enabledbooleannoyesEnable or disable rule.
    devicestringnoFIXMEFIXME
    directiondirectionnoFIXMEFIXME direction_out
    set_helpercthelpernoFIXMEFIXME
    helpercthelpernoFIXMEFIXME

    ICMP Name Types

    address-mask-replyhost-redirectpongtime-exceeded
    address-mask-requesthost-unknownport-unreachabletimestamp-reply
    anyhost-unreachableprecedence-cutofftimestamp-request
    communication-prohibitedip-header-badprotocol-unreachableTOS-host-redirect
    destination-unreachablenetwork-prohibitedredirectTOS-host-unreachable
    echo-replynetwork-redirectrequired-option-missingTOS-network-redirect
    echo-requestnetwork-unknownrouter-advertisementTOS-network-unreachable
    fragmentation-needednetwork-unreachablerouter-solicitationttl-exceeded
    host-precedence-violationparameter-problemsource-quenchttl-zero-during-reassembly
    host-prohibitedpingsource-route-failedttl-zero-during-transit

    Routing

    IP Sets

    fw3 supports referencing or creating ipsets to simplify matching of large address or port lists without the need for creating one rule per item to match.

    • :!: This needs the kmod-ipt-ipset kernel module installed.

    Options

    NameTypeRequiredDefaultDescription
    enabledbooleanno1Allows to disable the declaration of the ipset without the need to delete the section.
    externalstringno(none)If the external option is set to a name, the firewall will simply reference an already existing ipset pointed to by the name. If the external option is unset, the firewall will create the ipset on start and destroy it on stop.
    namestringyes if externalis unset 
    no if externalis set
    (none) if externalis unset 
    value of externalif externalis set
    Specifies the firewall internal name of the ipset which is used to reference the set in rules or redirects.
    familystringnoipv4Protocol family (ipv4 or ipv6) to create ipset for. Only applicable to storage types hash and list, the bitmap type implies ipv4.
    storagestringnovariesSpecifies the storage method (bitmaphash or list) used by the ipset, the default varies depending on the used datatypes (see match option below). In most cases the storage method can be automatically inferred from the datatype combination but in some cases multiple choices are possible (e.g. bitmap:ip vs. hash:ip).
    matchlist of direction/type tuplesyes(none)Specifies the matched data types (ipportmacnet or set) and their direction (src or dest). The direction is joined with the datatype by an underscore to form a tuple, e.g. src_port to match source ports or dest_net to match destination CIDR ranges. When using ipsets matching on multiple elements, e.g. hash:ip,port, specify the packet fields to match on in quotes or comma-separated (i.e. “match dest_ip dest_port”).
    iprangeIP rangeyes for storage type bitmapwith datatype ip(none)Specifies the IP range to cover, see ipset(8). Only applicable to the hash storage type.
    portrangePort rangeyes for storage type bitmapwith datatype port(none)Specifies the port range to cover, see ipset(8). Only applicable to the hash storage type.
    netmaskintegerno32If specified, network addresses will be stored in the set instead of IP host addresses. Value must be between 1 and 32, see ipset(8). Only applicable to the bitmap storage type with match ip or the hash storage type with match ip.
    maxelemintegerno65536Limits the number of items that can be added to the set, only applicable to the hash and list storage types.
    hashsizeintegerno1024Specifies the initial hash size of the set, only applicable to the hash storage type.
    timeoutintegerno0Specifies the default timeout for entries added to the set. A value of 0 means no timeout.
    entrysetentrynoFIXMEFIXME
    loadfilestringnoFIXMEFIXME

    Storage / Match Options

    The order of datatype matches is significant

    FamilyStorageMatchNotes
    ipv4bitmapipRequires iprange option
    ipv4bitmapip macRequires iprange option
    ipv4bitmapportRequires portrange option
    anyhaship-
    anyhashnet-
    anyhaship port-
    anyhashnet port-
    anyhaship port ip-
    anyhaship port net-
    -listsetMeta type to create a set-of-sets

    IPv6

    As described above, the option family is used for distinguishing between IPv4, IPv6 and both protocols. However the family is inferred automatically if IPv6 addresses are used:

    config rule
        option  src         'wan'
        option  src_ip      'fdca:f00:ba3::/64'
        option  target      'ACCEPT'

    Similar, such a rule is detected as IPv4 only:

    config rule
        option  src         'wan'
        option  dest_ip     '88.77.66.55'
        option  target      'REJECT'
    • Rules without IP addresses are automatically added to iptables and ip6tables, unless overridden by the family option.

    • Redirect rules (port forwards) are always IPv4 (for now) since there is no IPv6 DNAT support (yet).

    SNAT

    FIXME need to find how to use to document this

    Options

    snats.c:23:	FW3_OPT("enabled",             bool,      snat,     enabled),
    snats.c:25:	FW3_OPT("name",                string,    snat,     name),
    snats.c:26:	FW3_OPT("family",              family,    snat,     family),
    snats.c:28:	FW3_OPT("src",                 device,    snat,     src),
    snats.c:29:	FW3_OPT("device",              string,    snat,     device),
    snats.c:31:	FW3_OPT("ipset",               setmatch,  snat,     ipset),
    snats.c:33:	FW3_LIST("proto",              protocol,  snat,     proto),
    snats.c:35:	FW3_OPT("src_ip",              network,   snat,     ip_src),
    snats.c:36:	FW3_OPT("src_port",            port,      snat,     port_src),
    snats.c:38:	FW3_OPT("snat_ip",             network,   snat,     ip_snat),
    snats.c:39:	FW3_OPT("snat_port",           port,      snat,     port_snat),
    snats.c:41:	FW3_OPT("dest_ip",             network,   snat,     ip_dest),
    snats.c:42:	FW3_OPT("dest_port",           port,      snat,     port_dest),
    snats.c:44:	FW3_OPT("extra",               string,    snat,     extra),
    snats.c:46:	FW3_OPT("limit",               limit,     snat,     limit),
    snats.c:47:	FW3_OPT("limit_burst",         int,       snat,     limit.burst),
    snats.c:49:	FW3_OPT("connlimit_ports",     bool,      snat,     connlimit_ports),
    snats.c:51:	FW3_OPT("utc_time",            bool,      snat,     time.utc),
    snats.c:52:	FW3_OPT("start_date",          date,      snat,     time.datestart),
    snats.c:53:	FW3_OPT("stop_date",           date,      snat,     time.datestop),
    snats.c:54:	FW3_OPT("start_time",          time,      snat,     time.timestart),
    snats.c:55:	FW3_OPT("stop_time",           time,      snat,     time.timestop),
    snats.c:56:	FW3_OPT("weekdays",            weekdays,  snat,     time.weekdays),
    snats.c:57:	FW3_OPT("monthdays",           monthdays, snat,     time.monthdays),
    snats.c:59:	FW3_OPT("mark",                mark,      snat,     mark),
    snats.c:61:	FW3_OPT("target",              target,    snat,     target),
    展开全文
  • openwrt 端口映射

    千次阅读 2019-01-22 16:35:26
    1、Openwrt network firewall 的wan zones 防火墙默认规则是拒绝公网发来的未建立连接的请求,所以端口映射的再多也没有用 修改为accept 2、第二步端口映射 低级add按钮 然后点击edit,按如...
  • openwrt关闭网卡端口

    2021-02-19 14:22:42
    eth1对应系统端口0 ...将 option ports '0 1 2 3 6t' 为 option ports '0 1 3 6t' ,即在此处去掉背板网口对应的端口,其它网卡也是同样的操作,注意:6t对应的是CPU端口,不可随意修改 此处是关闭系统层的端口..
  • openwrt设置内网端口映射

    万次阅读 2015-09-08 17:14:11
    今天在raspberry群里,一个群友提出这样一个需求:他想通过电脑访问路由器(openwrt系统)的5555端口,相当于访问树莓派的22端口。好奇葩的需求,为什么不直接连接树莓派呢。。。 本来不想理会的,可群里非有人说...
  • OpenWrt修改MAC地址

    2015-11-11 14:39:00
    OpenWrt的LUCI界面里修改MAC地址,相对比较简单。 1、在浏览器中输入192.168.1.1登陆到LUCI界面,默认用户名是root,密码是password。 2、选择 网络——〉接口,然后选择你要修改端口(我的路由器中可以看到LAN...
  • Openwrt 端口映射的常见问题

    万次阅读 2016-11-09 11:53:08
    在使用Openwrt路由器的时候,有时候我并不把它当作一个路由器来上网用,而是把装有Openwrt系统的路由器当成一个低功耗的Linux的嵌入式系统使用。Openwrt的官网给了很多很多软件的预编译包,其数量之多几乎可以与...
  • Openwrt下设置端口映射 DMZ 访问控制

    万次阅读 2016-08-10 15:50:19
    修改完以后请在终端窗口输入 /etc/init.d/firewall restart来重启防火墙使设置生效端口映射:来自internet的使用tcp协议访问路由80端口的请求映射到内网192.168.1.10的 80端口可以映射端口提高P2P效率c
  • 进入OPENWRT软件包界面,更新软件列表,然后输入ethtool,安装ethtool工具。 SSH登录DB120,用“ ethtool -s eth0 speed 10 duplex full autoneg off ”命令将ETH0(DB120 WAN口)设置成10M半双工工作模式。网络通讯...
  • 如果你用了恩山的OpenWrt固件(Lean),刚好你又做了端口转发,你可能会遇到以下问题: 通过外网端口转发到内网端口,如果内外端口不一样,远程访问速度会非常慢(通常表现为JS/字体文件/图片)加载缓慢 转发到443...
  • 修改路径: /etc/config/firewall 添加如下参数就会把路由80NAT到外网8080,如此类推 config redirect option target 'DNAT' option src 'wan' option dest 'lan' option proto 'tcp udp' opti...
  • openwrt uhttpd更改默认端口

    千次阅读 2017-05-07 13:38:16
    1. 修改uhttpd端口 #vi /etc/config/uhttpd list listen_http 0.0.0.0:80 --> list listen_http 0.0.0.0:8081 保存,重启uhttpd #/etc/init.d/uhttpd restart 参考:...
  • /etc/config/firewall修改完以后请在终端窗口输入 /etc/init.d/firewall restart来重启防火墙使设置生效端口映射:来自internet的使用tcp协议访问路由80端口的请求映射到内网192.168.1.10的 80端口 可以映射端口提.....
  • 1、首先修改openwrt/trunk/target/linux/ramips/dts/rt5350.dtsi配置文件: 默认的rt5350.dtsi配置文件是将扩展串口ttyS1状态给禁用的,需要把状态为okey,如下:  uart@500 {  compatible = "ralink,rt5350-...
  • 指示灯:端口、速率、系统、电源 性能指标:CPU MIPS多核处理器;内存 2G;硬盘 : 500G;适用带宽: 500Mbps; 推荐带机量 :1200人;可管理AP数量:32个AP,64个Wall AP ;IPSec 1000条;SSL 500条 准备工作 配置...
  • 如题:网上买了个703n 路由器,里面刷了openwrt系统,有wifi转串口,这个很方便,可以实现网络和串口数据交换。 刷了openwrt的路由器有两个问题 1、串口不能双向传输,也就是只能通过wifi tcp 发送数据,串口输出...
  • 假设之前的配置: config switch_vlan option device ‘switch0’ ...修改之后的配置: config switch_vlan option device ‘switch0’ option vlan ‘1’ option ports ‘2 1 6t’ 在\编译路径\target\linux\...
  • 需要uhttpd支持多端口监听,直接再配置文件复制端口配置,然后改端口以及工作目录即可 php.ini 将doc_root设置为空。默认指向www,怎么配置都是调用www,而且要新的目录存那个文件,不然就 No input file specified...
  • [openwrt][widora]修改ssh server port背景修改 背景 因工作需求,选择widora的核心板设计产品。该产品板载系统为openwrt。 申明本人并不为widora作任何宣传,仅仅记录使用和学习当中遇见的问题,为其他朋友提供...
  • openwrt源码中修改vlan配置

    千次阅读 2014-12-10 15:36:46
    在编译好的openwrt修改vlan配置非常简单,用ssh链接入路由器后台在/etc/config/network中就有vlan的配置信息(这个虽然有但是我没有修改尝试过,其他博主都是这么说的) 但是现在的问题是,要求编译好了的固件...
  • OpenWrt

    2020-07-02 20:05:28
    参考资料:F403基本教程、openwrt深入学习笔记 串口默认波特率:57600 开发软件 eclipse 位于/home/f403tech/eclipse文件夹下。 开发板上用户文件及ipk软件包放在/usr/work/文件夹下。 ubuntu 截图命令 gnome-...
  • openwrt wan和lan共用端口拨号。

    千次阅读 2020-01-29 14:45:58
    0:lan1 连接 上级路由器(上级路由器通过ppp-realy转发ppp数据包)。 1:默认的VLAN就可以解决问题。 2:需要去掉br-lan的桥接,因为需要释放出eth0.1...5:随便找个wan接口,物理接口修改为vth0,就可以了。
  • OpenWRT

    千次阅读 2013-02-23 02:18:58
    OpenWRT  Featured, Phase-Deploy, 路由器配置 Updated Jan 31, 2013 by wwqgtxx ...TP-Link TL-MR3420 v1...软硬件环境:本例中的路由是老款TP-Link TL-MR3420 v116M Flash,64M RAM,固件刷OpenWrt-dre
  • openwrt系统下划分vlan来隔离端口

    万次阅读 2018-01-03 16:09:27
    iptables -I FORWARD -d 192.168.3.126 -i eth1.2 -j DROP 也就是针对端口进行隔离ip,检查port2的端口,不允许192.168.3.126这个ip进来 根据以上三点配置,可以实现需求了。 用到的原理: vlan就不...
  • 1. OpenWrt-LuCI 路由器设置端口映射(RDP)问题介绍背景环境介绍: 电脑A IP地址:10.10.21.1 路由器 IP地址:10.10.21.187 电脑B(由路由器自动分配地址) IP地址:192.168.1.189 实现功能:在电脑A 上用够用远程...
  • 硬件: MT7688, USART1 串口 ...软件: openWRT Ver 15, Linux 3.18.29 串口配置及其开机服务 1. 查看串口设备 #ls -l /dev/tty* 查询结果示例 crw-r--r-- 1 root root 5, 0 Jan 1 1970 /dev/tty crw-r--r-- ...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 1,972
精华内容 788
关键字:

openwrt改端口