User manual
20: Configuring firewall
_______________________________________________________________________________________________________
20.9 Note on connection tracking
By default, the firewall will disable connection tracking for a zone if no
masquerading is enabled. This is achieved by generating NOTRACK firewall rules
matching all traffic passing via interfaces referenced by the firewall zone. The
purpose of NOTRACK is to speed up routing and save memory by circumventing
resource intensive connection tracking in cases where it is not needed. You can
check if connection tracking is disabled by issuing iptables -t raw -vnL, it will list
all rules, check for NOTRACK target.
NOTRACK will render certain iptables extensions unusable, for example the
MASQUERADE target or the state match will not work.
If connection tracking is required, for example by custom rules in
/etc/firewall.user, the conntrack option must be enabled in the corresponding
zone to disable NOTRACK. It should appear as option 'conntrack' '1' in the right
zone in /etc/config/firewall.
20.10 Firewall examples
20.10.1 Opening ports
The default configuration accepts all LAN traffic, but blocks all incoming WAN
traffic on ports not currently used for connections or NAT. To open a port for a
service, add a rule section:
config rule
option src wan
option dest_port 22
option target ACCEPT
option proto tcp
This example enables machines on the Internet to use SSH to access your
router.
20.10.2 Forwarding ports (destination NAT/DNAT)
This example forwards http, but not HTTPS, traffic to the web server running on
192.168.1.10:
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 135 of 255