Recent Posts

Pages: [1] 2 3 ... 10

News / Re: update 9-14-2025

« Last post by razwall on September 14, 2025, 05:27:41 PM »

I just wrapped up the DNAT interface. You can Add, Delete, Edit, Sort, enable/disable all DNAT rules!

Dev Stuff / Re: Config JSON structure testing 3.1

« Last post by razwall on September 14, 2025, 01:42:00 PM »

{
"access" : [
{
"dst_dev" : [
"fw"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"log" : false,
"order" : 10,
"protocol" : [
"all"
],
"remark" : "Allow all traffic from LAN bridge",
"src_dev" : [
"br0"
]
},
{
"dst_dev" : [
"fw"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"icmp_type" : [
"echo-request"
],
"log" : false,
"order" : 20,
"protocol" : [
"icmp"
],
"remark" : "Allow ping from WAN",
"src_dev" : [
"eth1"
]
},
{
"dst_dev" : [
"fw"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"icmp_type" : [
"echo-request"
],
"log" : false,
"order" : 30,
"protocol" : [
"icmp"
],
"remark" : "Allow ping from LAN",
"src_dev" : [
"br0"
]
},
{
"dst_dev" : [
"fw"
],
"dst_port" : [
"10443"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"log" : false,
"order" : 40,
"protocol" : [
"tcp"
],
"remark" : "Allow HTTPS WAN",
"src_dev" : [
"eth1"
]
},
{
"dst_dev" : [
"fw"
],
"dst_port" : [
"10443"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"log" : false,
"order" : 50,
"protocol" : [
"tcp"
],
"remark" : "Allow HTTPS LAN",
"src_dev" : [
"br0"
]
},
{
"dst_dev" : [
"fw"
],
"dst_port" : [
"22"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"log" : false,
"order" : 60,
"protocol" : [
"tcp"
],
"remark" : "Allow SSH LAN",
"src_dev" : [
"br0"
]
},
{
"dst_dev" : [
"fw"
],
"dst_port" : [
"22"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"log" : false,
"order" : 70,
"protocol" : [
"tcp"
],
"remark" : "Allow SSH WAN",
"src_dev" : [
"eth1"
]
}
],
"bridges" : {
"br0" : {
"interfaces" : [
"eth0"
],
"parent" : "eth0"
},
"br1" : {
"interfaces" : [
"eth0.100"
],
"parent" : "eth0"
},
"br2" : {
"interfaces" : [
"eth0.200"
],
"parent" : "eth0"
},
"br3" : {
"interfaces" : [
"eth0.300"
],
"parent" : "eth0"
},
"br4" : {
"interfaces" : [
"eth0.400"
],
"parent" : "eth0"
},
"br5" : {
"interfaces" : [
"eth0.500"
],
"parent" : "eth0"
},
"br6" : {
"interfaces" : [
"eth0.10"
],
"parent" : "eth0"
},
"br7" : {
"interfaces" : [
"eth0.55"
],
"parent" : "eth0"
}
},
"dhcp" : [],
"dnat" : [
{
"collapsed" : true,
"dst_dev" : [],
"dst_ip" : [
"any"
],
"dst_port" : [
"80"
],
"enabled" : false,
"filter_target" : "ACCEPT",
"ip_version" : "4",
"log" : true,
"nat_target" : "DNAT",
"order" : "1",
"protocol" : [
"tcp"
],
"remark" : "Test HTTP Webserver",
"src_dev" : [
"eth1"
],
"src_ip" : [
"any"
],
"target_ip" : [
"192.168.10.100"
],
"target_port" : [
"80"
]
},
{
"collapsed" : true,
"dst_dev" : [],
"dst_ip" : [
"any"
],
"dst_port" : [
"443"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"ip_version" : "4",
"log" : true,
"nat_target" : "DNAT",
"order" : "2",
"protocol" : [
"tcp"
],
"remark" : "Test HTTPS Webserver",
"src_dev" : [
"eth1"
],
"src_ip" : [
"any"
],
"target_ip" : [
"192.168.10.100"
],
"target_port" : [
"443"
]
},
{
"collapsed" : true,
"dst_dev" : [],
"dst_ip" : [
"any"
],
"dst_port" : [
"22"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"ip_version" : "4",
"log" : true,
"nat_target" : "DNAT",
"order" : "3",
"protocol" : [
"tcp"
],
"remark" : "Test SSH Server",
"src_dev" : [
"eth1"
],
"src_ip" : [
"any"
],
"target_ip" : [
"192.168.10.101"
],
"target_port" : [
"22"
]
},
{
"collapsed" : true,
"dst_dev" : [],
"dst_ip" : [
"any"
],
"dst_port" : [
"25"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"ip_version" : "4",
"log" : true,
"nat_target" : "DNAT",
"order" : "4",
"protocol" : [
"tcp"
],
"remark" : "Test Mail Server (SMTP)",
"src_dev" : [
"eth1"
],
"src_ip" : [
"any"
],
"target_ip" : [
"192.168.10.102"
],
"target_port" : [
"25"
]
},
{
"collapsed" : true,
"dst_dev" : [],
"dst_ip" : [
"any"
],
"dst_port" : [
"143"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"ip_version" : "4",
"log" : true,
"nat_target" : "DNAT",
"order" : "5",
"protocol" : [
"tcp"
],
"remark" : "Test Mail Server (IMAP)",
"src_dev" : [
"eth1"
],
"src_ip" : [
"any"
],
"target_ip" : [
"192.168.10.102"
],
"target_port" : [
"143"
]
},
{
"collapsed" : true,
"dst_dev" : [],
"dst_ip" : [
"any"
],
"dst_port" : [
"993"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"ip_version" : "4",
"log" : true,
"nat_target" : "DNAT",
"order" : "6",
"protocol" : [
"tcp"
],
"remark" : "Test Mail Server (IMAPS)",
"src_dev" : [
"eth1"
],
"src_ip" : [
"any"
],
"target_ip" : [
"192.168.10.102"
],
"target_port" : [
"993"
]
}
],
"hosts" : [],
"interfaces" : {
"physical" : [
"eth0",
"eth1",
"lo"
]
},
"out" : [
{
"dst_dev" : [
"eth1"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"log" : false,
"order" : 100,
"protocol" : [
"all"
],
"remark" : "Allow LAN forward to WAN",
"src_dev" : [
"br0"
]
}
],
"routing" : [],
"snat" : [
{
"dst_dev" : [
"eth1"
],
"enabled" : true,
"nat_target" : "MASQUERADE",
"order" : 200,
"remark" : "MASQUERADE LAN to WAN",
"src_dev" : [
"br0"
]
}
],
"system" : {
"brand" : "RazWall",
"company" : "Supervene LLC",
"docs_url" : "https://razwall.com/forum",
"product" : "RazWall Firewall",
"site_url" : "https://razwall.com",
"version" : "1.3.0"
},
"users" : {
"Admin" : "admin:$apr1$qci0smug$50y/xw0j8s7vsUmW421Zi."
},
"vpnfw" : [],
"vpns" : [],
"vusers" : [],
"zfw" : [],
"zones" : {
"CCReader" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "192.168.21.1",
"ZCOLOR" : "#400080",
"ZDESC" : "Credit card LAN",
"ZDHCP" : "off",
"ZIFACE" : "eth0.300",
"ZNETMASK" : "/24",
"ZSTRING" : "CCReader",
"ZTYPE" : "LAN"
},
"DMZ" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "192.168.0.1",
"ZCOLOR" : "#ff8000",
"ZDESC" : "Server only LAN",
"ZDHCP" : "off",
"ZIFACE" : "eth0.100",
"ZNETMASK" : "/24",
"ZSTRING" : "DMZ",
"ZTYPE" : "LAN"
},
"ExtWiFi" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "192.168.15.1",
"ZCOLOR" : "#ff0080",
"ZDESC" : "External Wireless",
"ZDHCP" : "off",
"ZIFACE" : "eth0.500",
"ZNETMASK" : "/24",
"ZSTRING" : "ExtWiFi",
"ZTYPE" : "LAN"
},
"GAMING" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "192.168.22.1",
"ZCOLOR" : "#c0c0c0",
"ZDESC" : "Game network",
"ZDHCP" : "off",
"ZIFACE" : "eth0.400",
"ZNETMASK" : "/24",
"ZSTRING" : "GAMING",
"ZTYPE" : "LAN"
},
"LAN" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "192.168.168.1",
"ZCOLOR" : "#00ff00",
"ZDESC" : "Primary Network",
"ZDHCP" : "off",
"ZIFACE" : "br0",
"ZNETMASK" : "/24",
"ZSTRING" : "LAN",
"ZTYPE" : "LAN"
},
"LOCAL" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "",
"ZCOLOR" : "black",
"ZDESC" : "Local Loopback Adapter",
"ZDHCP" : "off",
"ZIFACE" : "lo",
"ZNETMASK" : "",
"ZSTRING" : "loopback",
"ZTYPE" : "LOOPBACK"
},
"MSTARD" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "10.0.1.1",
"ZCOLOR" : "#808000",
"ZDESC" : "test lan",
"ZDHCP" : "off",
"ZIFACE" : "eth0.10",
"ZNETMASK" : "/22",
"ZSTRING" : "MSTARD",
"ZTYPE" : "LAN"
},
"WAN" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "",
"ZCOLOR" : "red",
"ZDESC" : "Primary Internet Connection",
"ZDHCP" : "on",
"ZIFACE" : "eth1",
"ZNETMASK" : "",
"ZSTRING" : "WAN",
"ZTYPE" : "WAN"
},
"WAN-FO" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "10.15.45.200",
"ZCOLOR" : "#ff80c0",
"ZDESC" : "Failover WAN",
"ZDHCP" : "off",
"ZIFACE" : "eth0.55",
"ZNETMASK" : "/24",
"ZSTRING" : "WAN-FO",
"ZTYPE" : "WAN"
},
"WiFi" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "192.168.16.1",
"ZCOLOR" : "#0080ff",
"ZDESC" : "Wireless zone",
"ZDHCP" : "off",
"ZIFACE" : "eth0.200",
"ZNETMASK" : "/24",
"ZSTRING" : "WiFi",
"ZTYPE" : "LAN"
}
}
}

News / update 9-14-2025

« Last post by razwall on September 14, 2025, 01:37:03 PM »

Still slaving away at this...

Almost done with the UI parts of the DNAT management. I hope that once this part is wrapped up it will be mostly cookie-cutter across the other rule editor pages (zonefw,vpnfw,access,outbound,snat) with minor changes to each to accommodate the differences. I must have been crazy to take on this project it is a LOT of work.

Here are a couple pics to keep you on the edge of your seat..

News / update 9-2-2025

« Last post by razwall on September 02, 2025, 09:01:53 PM »

Well hello everyone, I'm sorry it's been a while! Great news, I have hit a major milestone tonight. The current dev build has a bunch of working features:

Console UI login is tied to web UI login
Console UI displays LAN/WAN status with automatic updates
WebUI can create vlans
WebUI can create zones from physical or vlan interfaces
All configs are stored in razwall-master.json
All modifications are stored in razwall-queue.json prior to applying
Applying pending changes successfully tears down and rebuilds the network interfaces, bridges, vlans, statics, DHCP
Firewall rules are also built automatically from JSON
All network startup is controlled by RazWall using razwall-master.json
Websocket services are no longer dependent on port 4000, instead they are proxied so the up can change and access depends on auth

What's left:

Display, add, remove, delete, sort rules using the new JSON format data
Build out DHCP server(s)
Network setup fix for console

Once these are done, I will release the ISO and this will be a working version!

Other features I want in the final release:

OpenVPN (P2P, Client)
VPN user management
Internal DNS filtering
Firewall log viewer (logging is already built into the rule building programs)
WolfSSL for FIPS compliant deployments

Future additions:
IPV6 options for each interface and firewall zone
Add Snort back into the mix

Revise forum registration and open back up for new members to join the project. We might move this project to GitHub for support and development. The code is already there,ight as well leverage the security to stop all the bots.

Dev Stuff / Re: Config JSON structure testing

« Last post by razwall on August 29, 2025, 02:50:39 PM »

{
"access" : [
{
"enabled" : true,
"protocol" : [ "tcp" ],
"src_dev" : [ "br0" ],
"dst_dev" : [ "fw" ],
"dst_port" : [ "22" ],
"remark" : "Allow SSH from LAN",
"filter_target" : "ACCEPT",
"log" : false
},
{
"enabled" : true,
"protocol" : [ "tcp" ],
"src_dev" : [ "br0" ],
"dst_dev" : [ "fw" ],
"dst_port" : [ "443" ],
"remark" : "Allow HTTPS from LAN",
"filter_target" : "ACCEPT",
"log" : false
},
{
"enabled" : true,
"protocol" : [ "tcp" ],
"src_dev" : [ "br0" ],
"dst_dev" : [ "fw" ],
"dst_port" : [ "80" ],
"remark" : "Allow HTTP from LAN",
"filter_target" : "ACCEPT",
"log" : false
},
{
"enabled" : true,
"protocol" : [ "udp" ],
"src_dev" : [ "br0" ],
"dst_dev" : [ "fw" ],
"dst_port" : [ "67","68" ],
"remark" : "Allow DHCP on LAN",
"filter_target" : "ACCEPT",
"log" : false
},
{
"enabled" : true,
"protocol" : [ "udp","tcp" ],
"src_dev" : [ "br0" ],
"dst_dev" : [ "fw" ],
"dst_port" : [ "53" ],
"remark" : "Allow DNS on LAN",
"filter_target" : "ACCEPT",
"log" : false
},
{
"enabled" : true,
"protocol" : [ "udp" ],
"src_dev" : [ "eth1" ],
"dst_dev" : [ "fw" ],
"dst_port" : [ "1194" ],
"remark" : "Allow OpenVPN on WAN",
"filter_target" : "ACCEPT",
"log" : false
}
],
"bridges" : {
"br0" : { "interfaces" : [ "eth0" ] }
},
"dhcp" : [],
"dnat" : [
{
"enabled" : true,
"protocol" : [ "tcp" ],
"src_dev" : [ "eth1" ],
"dst_ip" : [ "X.X.X.X" ],
"dst_port" : [ "80" ],
"target_ip" : [ "192.168.19.87" ],
"target_port" : [ "80" ],
"remark" : "WAN HTTP to internal webserver",
"filter_target" : "ACCEPT",
"nat_target" : "DNAT",
"log" : false
},
{
"enabled" : true,
"protocol" : [ "tcp" ],
"src_dev" : [ "eth1" ],
"dst_ip" : [ "X.X.X.X" ],
"dst_port" : [ "443" ],
"target_ip" : [ "192.168.19.87" ],
"target_port" : [ "443" ],
"remark" : "WAN HTTPS to internal webserver",
"filter_target" : "ACCEPT",
"nat_target" : "DNAT",
"log" : false
}
],
"hosts" : [],
"interfaces" : {
"physical" : [ "eth0","eth1","lo" ],
"virtual" : []
},
"out" : [
{
"enabled" : true,
"protocol" : [ "tcp" ],
"src_dev" : [ "br0" ],
"dst_dev" : [ "eth1" ],
"dst_port" : [ "80","443" ],
"remark" : "Allow LAN outbound web",
"filter_target" : "ACCEPT",
"log" : false
},
{
"enabled" : true,
"protocol" : [ "all" ],
"src_dev" : [ "br0" ],
"dst_dev" : [ "eth1" ],
"remark" : "Block all other outbound from LAN",
"filter_target" : "DROP",
"log" : false
}
],
"routing" : [
{
"type" : "default",
"via" : "<GW1 IP>",
"dev" : "eth1",
"remark" : "Default WAN route"
}
],
"snat" : [
{
"enabled" : true,
"src_dev" : [ "br0" ],
"dst_dev" : [ "eth1" ],
"nat_target" : "SNAT",
"remark" : "MASQUERADE LAN1 to WAN1"
},
{
"enabled" : true,
"src_dev" : [ "br0" ],
"dst_dev" : [ "eth2" ],
"nat_target" : "SNAT",
"remark" : "MASQUERADE LAN1 to WAN2"
}
],
"users" : {
"Admin" : "admin:$apr1$qci0smug$50y/xw0j8s7vsUmW421Zi."
},
"vpnfw" : [
{
"enabled" : true,
"protocol" : [ "tcp" ],
"src_dev" : [ "tun0" ],
"dst_dev" : [ "br0" ],
"dst_port" : [ "3389" ],
"remark" : "VPN to LAN1 RDP",
"filter_target" : "ACCEPT",
"log" : false
},
{
"enabled" : true,
"protocol" : [ "tcp" ],
"src_dev" : [ "tun0" ],
"dst_dev" : [ "br1" ],
"dst_port" : [ "445" ],
"remark" : "VPN to LAN2 SMB",
"filter_target" : "ACCEPT",
"log" : false
},
{
"enabled" : true,
"protocol" : [ "all" ],
"src_dev" : [ "tun0" ],
"dst_dev" : [ "br0" ],
"remark" : "Block VPN to LAN1",
"filter_target" : "DROP",
"log" : false
},
{
"enabled" : true,
"protocol" : [ "all" ],
"src_dev" : [ "tun0" ],
"dst_dev" : [ "br1" ],
"remark" : "Block VPN to LAN2",
"filter_target" : "DROP",
"log" : false
}
],
"vpns" : [],
"vusers" : [],
"zfw" : [
{
"enabled" : true,
"protocol" : [ "tcp" ],
"src_dev" : [ "br0" ],
"dst_dev" : [ "br1" ],
"dst_port" : [ "3389" ],
"remark" : "LAN1 to LAN2 RDP",
"filter_target" : "ACCEPT",
"log" : false
}
],
"zones" : {
"LAN" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "192.168.55.1",
"ZCOLOR" : "#00ff00",
"ZDESC" : "Primary Network",
"ZDHCP" : "off",
"ZIFACE" : "eth0",
"ZNETMASK" : "/24",
"ZSTRING" : "LAN",
"ZTYPE" : "LAN"
},
"LOCAL" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "",
"ZCOLOR" : "black",
"ZDESC" : "Local Loopback Adapter",
"ZDHCP" : "off",
"ZIFACE" : "lo",
"ZNETMASK" : "",
"ZSTRING" : "loopback",
"ZTYPE" : "LOOPBACK"
},
"WAN" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "",
"ZCOLOR" : "red",
"ZDESC" : "Primary Internet Connection",
"ZDHCP" : "on",
"ZIFACE" : "eth1",
"ZNETMASK" : "",
"ZSTRING" : "WAN",
"ZTYPE" : "WAN"
}
}
}

Dev Stuff / Re: Config JSON structure testing

« Last post by razwall on August 29, 2025, 02:43:00 PM »

updated sample...

{
"access" : [],
"bridges" : {
"br0" : {
"interfaces" : [
"eth0"
]
}
},
"dhcp" : [],
"dnat" : [
{
"collapsed" : true,
"dst_dev" : [],
"dst_ip" : [
"X.X.X.X"
],
"dst_port" : [
"80"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"ip_version" : "4",
"log" : true,
"nat_target" : "DNAT",
"protocol" : [
"tcp"
],
"remark" : "HTTP Example",
"src_dev" : [],
"src_ip" : [
"any"
],
"target_ip" : [
"192.168.19.87"
],
"target_port" : [
"80"
]
},
{
"collapsed" : true,
"dst_dev" : [],
"dst_ip" : [
"X.X.X.X"
],
"dst_port" : [
"22"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"ip_version" : "4",
"log" : true,
"nat_target" : "DNAT",
"protocol" : [
"tcp"
],
"remark" : "SSL Example",
"src_dev" : [],
"src_ip" : [
"X.X.X.X"
],
"target_ip" : [
"192.168.19.87"
],
"target_port" : [
"22"
]
},
{
"collapsed" : true,
"dst_dev" : [],
"dst_ip" : [
"X.X.X.X"
],
"dst_port" : [
"53"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"ip_version" : "4",
"log" : true,
"nat_target" : "DNAT",
"protocol" : [
"tcp",
"udp"
],
"remark" : "DNS Example",
"src_dev" : [],
"src_ip" : [
"any"
],
"target_ip" : [
"192.168.19.87"
],
"target_port" : [
"53"
]
}
],
"hosts" : [],
"interfaces" : {
"physical" : [
"eth0",
"eth1",
"lo"
],
"virtual" : []
},
"out" : [],
"routing" : [],
"snat" : [],
"users" : {
"Admin" : "admin:$apr1$qci0smug$50y/xw0j8s7vsUmW421Zi."
},
"vpnfw" : [],
"vpns" : [],
"vusers" : [],
"zfw" : [],
"zones" : {
"LAN" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "192.168.55.1",
"ZCOLOR" : "#00ff00",
"ZDESC" : "Primary Network",
"ZDHCP" : "off",
"ZIFACE" : "eth0",
"ZNETMASK" : "/24",
"ZSTRING" : "LAN",
"ZTYPE" : "LAN"
},
"LOCAL" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "",
"ZCOLOR" : "black",
"ZDESC" : "Local Loopback Adapter",
"ZDHCP" : "off",
"ZIFACE" : "lo",
"ZNETMASK" : "",
"ZSTRING" : "loopback",
"ZTYPE" : "LOOPBACK"
},
"WAN" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "",
"ZCOLOR" : "red",
"ZDESC" : "Primary Internet Connection",
"ZDHCP" : "on",
"ZIFACE" : "eth1",
"ZNETMASK" : "",
"ZSTRING" : "WAN",
"ZTYPE" : "WAN"
}
}
}

Dev Stuff / Rules, Order, Samples, Routes - test configs

« Last post by razwall on August 29, 2025, 02:40:32 PM »

# =========================
# 1 Flush existing tables
# =========================
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# =========================
# 2 Enable IP forwarding
# =========================
echo 1 > /proc/sys/net/ipv4/ip_forward

# =========================
# 3 Default Policies
# =========================
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# =========================
# 4 Allow loopback interface
# =========================
iptables -A INPUT -i lo -j ACCEPT
#iptables -A INPUT -i lo -j LOG --log-prefix "ALLOW LOOPBACK IN " --log-level 4
iptables -A OUTPUT -o lo -j ACCEPT
#iptables -A OUTPUT -o lo -j LOG --log-prefix "ALLOW LOOPBACK OUT " --log-level 4

# =========================
# 5 Allow established/related
# =========================
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j LOG --log-prefix "ALLOW EST/REL IN " --log-level 4
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j LOG --log-prefix "ALLOW EST/REL FWD " --log-level 4

# =========================
# 6 Allow LAN traffic
# =========================
iptables -A INPUT -i br0 -j ACCEPT
#iptables -A INPUT -i br0 -j LOG --log-prefix "ALLOW LAN1 INPUT " --log-level 4
iptables -A FORWARD -i br0 -o eth1 -j ACCEPT
#iptables -A FORWARD -i br0 -o eth1 -j LOG --log-prefix "ALLOW LAN1->WAN1 " --log-level 4

# 6.5 - OPTIONAL: Allow LAN -> Additional WANs
iptables -A FORWARD -i br0 -o eth2 -j ACCEPT
#iptables -A FORWARD -i br0 -o eth2 -j LOG --log-prefix "ALLOW LAN1->WAN2 " --log-level 4

# =========================
# 7 SYSTEM ACCESS RULES
# =========================
# (Firewall-hosted services: SSH/HTTP/HTTPS/DHCP/DNS/OpenVPN)
# By default: only Primary LAN (br0) has access.

# Management Access
iptables -A INPUT -i br0 -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -i br0 -p tcp --dport 22 -j LOG --log-prefix "ALLOW SSH br0 " --log-level 4

iptables -A INPUT -i br0 -p tcp --dport 443 -j ACCEPT
#iptables -A INPUT -i br0 -p tcp --dport 443 -j LOG --log-prefix "ALLOW HTTPS br0 " --log-level 4

iptables -A INPUT -i br0 -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -i br0 -p tcp --dport 80 -j LOG --log-prefix "ALLOW HTTP br0 " --log-level 4

# Infrastructure Services
iptables -A INPUT -i br0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
#iptables -A INPUT -i br0 -p udp --dport 67:68 --sport 67:68 -j LOG --log-prefix "ALLOW DHCP br0 " --log-level 4
iptables -A INPUT -i br1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT # OPTIONAL
#iptables -A INPUT -i br1 -p udp --dport 67:68 --sport 67:68 -j LOG --log-prefix "ALLOW DHCP br1 " --log-level 4

iptables -A INPUT -i br0 -p udp --dport 53 -j ACCEPT
#iptables -A INPUT -i br0 -p udp --dport 53 -j LOG --log-prefix "ALLOW DNS-UDP br0 " --log-level 4
iptables -A INPUT -i br0 -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -i br0 -p tcp --dport 53 -j LOG --log-prefix "ALLOW DNS-TCP br0 " --log-level 4

# VPN Access
iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
#iptables -A INPUT -i eth1 -p udp --dport 1194 -j LOG --log-prefix "ALLOW OpenVPN WAN " --log-level 4

# =========================
# 8 DNAT RULES (Port Forwards)
# =========================
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.19.87:80
iptables -A FORWARD -p tcp -d 192.168.19.87 --dport 80 -j ACCEPT
#iptables -A FORWARD -p tcp -d 192.168.19.87 --dport 80 -j LOG --log-prefix "DNAT HTTP->WebSrv " --log-level 4

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to-destination 192.168.19.87:443
iptables -A FORWARD -p tcp -d 192.168.19.87 --dport 443 -j ACCEPT
#iptables -A FORWARD -p tcp -d 192.168.19.87 --dport 443 -j LOG --log-prefix "DNAT HTTPS->WebSrv " --log-level 4

# =========================
# 9 ZONE FIREWALL (LAN ↔ LAN)
# =========================
iptables -A FORWARD -i br0 -o br1 -p tcp --dport 3389 -j ACCEPT
#iptables -A FORWARD -i br0 -o br1 -p tcp --dport 3389 -j LOG --log-prefix "ALLOW RDP br0->br1 " --log-level 4

iptables -A FORWARD -i br0 -o br1 -p tcp -d 192.168.20.50 --dport 3389 -j ACCEPT
#iptables -A FORWARD -i br0 -o br1 -p tcp -d 192.168.20.50 --dport 3389 -j LOG --log-prefix "ALLOW RDP br0->host " --log-level 4

iptables -A FORWARD -i br0 -s 192.168.10.100 -o br1 -p tcp -d 192.168.20.50 --dport 3389 -j ACCEPT
#iptables -A FORWARD -i br0 -s 192.168.10.100 -o br1 -p tcp -d 192.168.20.50 --dport 3389 -j LOG --log-prefix "ALLOW RDP host->host " --log-level 4

# =========================
# 10 VPN FIREWALL (TUN/TAP)
# =========================
iptables -A FORWARD -i tun0 -o br0 -p tcp --dport 3389 -j ACCEPT
#iptables -A FORWARD -i tun0 -o br0 -p tcp --dport 3389 -j LOG --log-prefix "ALLOW VPN->LAN1 RDP " --log-level 4

iptables -A FORWARD -i tun0 -o br1 -p tcp --dport 445 -j ACCEPT
#iptables -A FORWARD -i tun0 -o br1 -p tcp --dport 445 -j LOG --log-prefix "ALLOW VPN->LAN2 SMB " --log-level 4

iptables -A FORWARD -i tun0 -s 10.8.0.25 -o br0 -p tcp -d 192.168.10.50 --dport 3389 -j ACCEPT
#iptables -A FORWARD -i tun0 -s 10.8.0.25 -o br0 -p tcp -d 192.168.10.50 --dport 3389 -j LOG --log-prefix "ALLOW VPNclient->LANhost RDP " --log-level 4

iptables -A FORWARD -i tun0 -o br0 -j DROP
#iptables -A FORWARD -i tun0 -o br0 -j LOG --log-prefix "DROP VPN->LAN1 " --log-level 4

iptables -A FORWARD -i tun0 -o br1 -j DROP
#iptables -A FORWARD -i tun0 -o br1 -j LOG --log-prefix "DROP VPN->LAN2 " --log-level 4

# =========================
# 11 OUTBOUND FIREWALL (Optional)
# =========================
iptables -A FORWARD -i br0 -o eth1 -p tcp -m multiport --dports 80,443 -j ACCEPT
#iptables -A FORWARD -i br0 -o eth1 -p tcp -m multiport --dports 80,443 -j LOG --log-prefix "ALLOW LAN1->WAN1 WEB " --log-level 4

iptables -A FORWARD -i br0 -o eth1 -j DROP
#iptables -A FORWARD -i br0 -o eth1 -j LOG --log-prefix "DROP LAN1->WAN1 " --log-level 4

# =========================
# 12 SNAT RULES (Outbound NAT)
# =========================
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth1 -j LOG --log-prefix "SNAT LAN1->WAN1 " --log-level 4

iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth2 -j LOG --log-prefix "SNAT LAN1->WAN2 " --log-level 4

# =========================
# 13 Hygiene: Drop invalid packets
# =========================
iptables -A INPUT -m state --state INVALID -j DROP
#iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID IN " --log-level 4

iptables -A FORWARD -m state --state INVALID -j DROP
#iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID FWD " --log-level 4

# =========================
# 14 Catch-All Logging (Optional)
# =========================
#iptables -A INPUT -j LOG --log-prefix "DROP INPUT CATCH-ALL " --log-level 4
#iptables -A FORWARD -j LOG --log-prefix "DROP FORWARD CATCH-ALL " --log-level 4

# =========================
# 15 Routing (Default/Failover/Load-Balance)
# =========================
# Single WAN default
ip route replace default via <GW1 IP> dev eth1

# OR load balance across 2 WANs
ip route replace default nexthop via <GW1 IP> dev eth1 weight 2 \
nexthop via <GW2 IP> dev eth2 weight 1

# OR failover setup
ip route replace default via <GW1 IP> dev eth1 metric 100
ip route replace default via <GW2 IP> dev eth2 metric 200

# =========================
# 16 Custom Routes (Per-IP / Multi-WAN)
# =========================
# Example: Force traffic to 203.0.113.50 to exit via WAN1 with specific IP
iptables -t nat -A POSTROUTING -o eth1 -d X.X.X.X -j SNAT --to-source <WAN_IP_2>
ip route add 203.0.113.50 via <GW1 IP> dev eth1

# Example: Route traffic to a specific subnet via WAN2
ip route add 198.51.100.0/24 via <GW2 IP> dev eth2

# Example: Map internal host to use a dedicated WAN IP
iptables -t nat -A POSTROUTING -s 192.168.19.100 -o eth1 -j SNAT --to-source <WAN_IP_3>

Dev Stuff / LB and FO rules and routes

« Last post by razwall on August 04, 2025, 02:36:36 PM »

Fail Over:

SNAT
iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE
iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE

ROUTING
ip route replace default via (WAN1 GW ADDRESS) dev ethX metric 100
ip route replace default via (WAN2 GW ADDRESS) dev ethX metric 200

Load Balance:

ROUTING
ip route replace default \
nexthop via xx.xx.xx.xx dev ethX weight 2 \
nexthop via xx.xx.xx.xx dev ethX weight1

ACTIVE ROUTE CHECK
ip route show default

Dev Stuff / Re: Config JSON structure testing

« Last post by techdevel2 on August 03, 2025, 03:35:27 AM »

Hi,
Good to see the progress with dynamic ZONE creation as the default feature. I came across the IPFire code related to zone creation which is done by "setup" program/module while installing it. Basically it is written in C which is doing the zone creation related steps and interface assignment etc [here is the link. https://github.com/ipfire/ipfire-2.x/blob/master/src/setup/networking.c]. I am thinking to change this bottleneck for IPFire though i am not good in advance c programming [ it is already mentioned by the IPFire author . https://www.ipfire.org/docs/roadmap/get-rid-of-configtype-in-network-config ]. Actually, i am impressed with IPFire because of its build system which gives freedom for any thing as per the developer/user expertise.
Well, i am also waiting for your distro as well. well, it would be good if you make a roadmap of different tasks and ask other on the forum for the development . This will definitely reduce burden on you and also gives opportunity to other to contribute.

Dev Stuff / Config JSON structure testing

« Last post by razwall on July 29, 2025, 11:25:06 AM »

{
"bridges" : {
"br0" : {
"interface" : "eth0",
"interfaces" : [
"eth0"
]
},
"br1" : {
"interface" : "eth7",
"interfaces" : [
"eth7"
]
},
"br2" : {
"interface" : "br0.200",
"interfaces" : [
"br0.200"
]
},
"br3" : {
"interface" : "eth2.200",
"interfaces" : [
"eth2.200"
]
},
"br4" : {
"interfaces" : [
"eth0.500"
]
}
},
"dnat" : [
{
"collapsed" : true,
"dst_dev" : [],
"dst_ip" : [
"xx.xxx.xx.xx"
],
"dst_port" : [
"80"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"ip_version" : "4",
"log" : true,
"nat_target" : "DNAT",
"protocol" : [
"tcp"
],
"remark" : "HTTP Example",
"src_dev" : [],
"src_ip" : [
"any"
],
"target_ip" : [
"192.168.19.87"
],
"target_port" : [
"80"
]
},
{
"collapsed" : true,
"dst_dev" : [],
"dst_ip" : [
"xx.xxx.xx.xx"
],
"dst_port" : [
"22"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"ip_version" : "4",
"log" : true,
"nat_target" : "DNAT",
"protocol" : [
"tcp"
],
"remark" : "SSL Example",
"src_dev" : [],
"src_ip" : [
"xx.xxx.xx.xx"
],
"target_ip" : [
"192.168.19.87"
],
"target_port" : [
"22"
]
},
{
"collapsed" : true,
"dst_dev" : [],
"dst_ip" : [
"24.111.67.50"
],
"dst_port" : [
"53"
],
"enabled" : true,
"filter_target" : "ACCEPT",
"ip_version" : "4",
"log" : true,
"nat_target" : "DNAT",
"protocol" : [
"tcp",
"udp"
],
"remark" : "DNS Example",
"src_dev" : [],
"src_ip" : [
"any"
],
"target_ip" : [
"192.168.19.87"
],
"target_port" : [
"53"
]
}
],
"interfaces" : {
"physical" : [
"eth0",
"eth1",
"eth2",
"eth3",
"eth4",
"eth5",
"eth6",
"eth7",
"lo"
],
"virtual" : [
"eth2.200",
"eth0.500"
]
},
"users" : {
"Admin" : "admin:REMOVED"
},
"zones" : {
"LAN" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "",
"ZCOLOR" : "green",
"ZDESC" : "Primary LAN Network",
"ZDHCP" : "off",
"ZIFACE" : "eth0",
"ZNETMASK" : "",
"ZSTRING" : "LAN",
"ZTYPE" : "LAN"
},
"LOCAL" : {
"ZCOLOR" : "black",
"ZDESC" : "Local Loopback Adapter",
"ZIFACE" : "lo",
"ZSTRING" : "loopback",
"ZTYPE" : "LOOPBACK"
},
"PATRON" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "",
"ZCOLOR" : "#8000ff",
"ZDESC" : "patron LAN",
"ZDHCP" : "off",
"ZIFACE" : "eth2.200",
"ZNETMASK" : "",
"ZSTRING" : "PATRON",
"ZTYPE" : "LAN"
},
"WAN" : {
"ZADDITIONAL" : "",
"ZADDRESS" : "",
"ZCOLOR" : "red",
"ZDESC" : "Primary Internet Connection",
"ZDHCP" : "off",
"ZIFACE" : "eth1",
"ZNETMASK" : "",
"ZSTRING" : "WAN",
"ZTYPE" : "WAN"
}
}
}

Pages: [1] 2 3 ... 10

News:

Recent Posts

News / Re: update 9-14-2025

Dev Stuff / Re: Config JSON structure testing 3.1

News / update 9-14-2025

News / update 9-2-2025

Dev Stuff / Re: Config JSON structure testing

Dev Stuff / Re: Config JSON structure testing

Dev Stuff / Rules, Order, Samples, Routes - test configs

Dev Stuff / LB and FO rules and routes

Dev Stuff / Re: Config JSON structure testing

Dev Stuff / Config JSON structure testing