46

If you witness the above sequence, your backup link is working!

Firewall

In this section we will look over the various firewall features that come with rut500.

General Settings

The routers firewall is a standard linux iptables package, which uses routing chains and policies to facilitate control over

inbound and outbound traffic.

Field name

Sample value

Explanation

1.

Enable SYN-flood

protection

Checked/Unchecked

When checked the router becomes more resistant against SYN-

flood attacks.

2.

Drop Invalid packets

Checked/Unchecked

A “Drop” action is performed on a packet that is determined to be

invalid

3.

Input

Reject/Drop/Accept

DEFAULT* action that is to be performed for packets that pass

through the Input chain.

4.

Output

Reject/Drop/Accept

DEFAULT* action that is to be performed for packets that pass

through the Output chain.

5.

Forward

Reject/Drop/Accept

DEFAULT* action that is to be performed for packets that pass

through the Forward chain.

*DEFAULT: When a packet goes through a firewall chain it is matched against all the rules for that specific chain. If no

rule matches said packet, an according Action (either Drop or Reject or Accept) is performed.

Accept

–

Packet gets to continue down the next chain.

Drop

–

Packet is stopped and deleted.

Reject

–

Packet is stopped, deleted and, differently from Drop, an ICMP packet containing a message of rejection is sent

to the

source

of the dropped packet.

47

DMZ

By enabling DMZ for a specific internal host (for e.g.: your computer), you will expose that host and its services to the

routers WAN network (i.e. - internet).

Port Forwarding

Here you can define your own port forwarding rules.

You can use port forwarding to set up servers and services on local LAN machines. The above picture shows how you

can set up a rule that would allow a website that is being hosted on 192.168.99.156, to be reached from the outside by

entering http://routersExternalIp:12345/ .

Field Name

Sample Value

Explanation

1.

Name

“localWebsite”

Name of the rule. Used purely to make it easier to manage rules.

2.

Protocol

TCP/UDP/TCP+UDP/Other

Type of protocol of incoming packet.

3.

External Port

1-

65535

From what port on the WAN network will the traffic be

forwarded.

4.

Internal IP address

IPv4 address of some

computer on your LAN

The IP address of the internal machine that hosts some service

that we want to access from the outside.

5.

Internal port

1-65535

To what port on the internal machine would the rule redirect the

traffic.

Additional note: Notice how the external port is 12345 and not 80. It is perfectly fine to define the external port as 80,

but then the routers configuration interface would not reachable (unless you change the web access port from remote

management).

When you click

edit

you can fine tune a rule to near perfection, if you should desire that.

Traffic Rules

The traffic rule page contains a more generalized rule definition. With it you can block or open ports, alter how traffic is

forwarded between LAN and WAN and many more things.

48

Field name

Sample Value

Explanation

1.

Name

“ruleName”

Used to make rule management easier

2.

Family

IPv4

Only IPv4 is currently supported

3.

Protocol

TCP/UDP/Other…

Protocol of the packet that is being matched against traffic rules.

4.

Source

IPv4 address

The source of the packet.

5.

Destination

IPv4 address

The destination of the packet

6.

Action

Drop/Accept/Reject

+ chain + additional

rules

Action to be taken on the packet if it matches the rule. You can also define

additional options like limiting packet volume, and defining to which chain the

rule belongs

7.

Enable

Checked/Unchecked

Self-explanatory. Uncheck to make the rule inactive. The rule will not be

deleted, but it also will not be loaded into the firewall.

8.

Sort

Up/Down

When a packet arrives, it gets checked for a matching rule. If there are several

rules that match the rule, the first one is applied i.e. the order of the rule list

impacts how your firewall operates, therefore you are given the ability to sort

your list as you wish.

Custom Rules

Here you have the ultimate freedom in defining your rules

–

you can enter them straight into the iptables program. Just

type them out into the text field ant it will get executed as a linux shell script. If you are unsure of how to use iptables,

check the internet out for manuals, examples and explanations.

Static Routes

Static routes provide a way of entering custom entries in the internal routing table of the router.

Field name

Value

Explanation

1.

Interface

Lan/wan

The zone where the ‘Target’ resides

2.

Target

IPv4 address

The source of the traffic.

3.

IPv4-Netmask

IPv4 mask

Mask that is applied to the Target to determine to what actual IP

addresses the routing rule applies

4.

IPv4-Gateway

IPv4 address

To where the router should send all the traffic that applies to the rule

5.

Metric

integer

Used as a sorting measure. If a packet about to be routed fits two rules,

the one with the higher metric is applied.

Additional note on Target & Netmask: You can define a rule that applies to a single IP like this: Target - some IP;

Netmask - 255.255.255.255. Furthermore you can define a rule that applies to a segment of IPs like this: Target

–

some

IP that STARTS the segment; Netmask

–

Netmask that defines how large the segment is. E.g.:

192.168.55.161

255.255.255.255

Only applies to 192.168.55.161

192.168.55.0

255.255.255.0

Applies to IPs in range 192.168.55.0-192.168.55.255

49

192.168.55.240

255.255.255.240

Applies 192.168.55.240 -

192.168.55.255

192.168.55.161

255.255.255.0

192.168.55.0 - 192.168.55.255

192.168.0.0

255.255.0.0

192.168.0.0 - 192.168.255.255

Diagnostics

Contains Network Utilities used for testing network.

Ping

–

the utility used to test the reachability of a host on an Internet IP network and to measure the round-trip time for

messages sent from the originating host to a destination server. Enter server IP address or hostname and click “Ping”.

Server echo response will be shown after few seconds if server is accessible.

Traceroute

–

diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet IP

network. Enter server IP address or hostname and click “Traceroute”. Log

containing route information will be shown

after few seconds.

Nslookup

–

network administration command-line tool for querying the Domain Name System (DNS) to obtain domain

name or IP address mapping or for any other specific DNS record. Enter server hos

tname and click “Nslookup”. Log

containing specified server DNS lookup information will be shown after few seconds. Full manual with all available

“Nslookup” commands and parameters can be found in Linux manual page

nslookup(1).

Important notes:



Note that DNS server must be configured correctly if you use server hostname instead of server

IP address in address field.

Services

PING Reboot

PING Reboot function will periodically send PING command to server and waits for echo receive. If no echo is received

router will try again sending PING command defined number times, after defined time interval. If no echo is received

after the defined number of unsuccessful retries, router will reboot. It is possible to turn of the router rebooting after

defined unsuccessful retries. Therefore this feature can be used as “Keep Alive” function, when router PINGs the host

unlimited number of times.

50

Common configuration

Field name

Description

Notes

1.

Enable PING Reboot

This check box will enable or disable PING reboot

feature.

PING Reboot is disabled by

default.

2.

Reboot router if no echo

received

This check box will disable router rebooting after

the defined number of unsuccessful retries.

This check box must be

unselected if you want to use

PING Reboot feature as “Keep

Alive” function.

3.

Interval between PINGs

Time interval in minutes between two PINGs.

Minimum time interval is 5

minutes.

4.

Retry count

Number of times try sending PING to server after

time interval if echo receive was unsuccessful.

Minimum retry number is 1.

Second retry will be done after

defined time interval.

5.

Server to PING

Server IP address or host name, which will receive

PING from router

If you use server host name

instead of the IP address you

must configure DNS server first.

Important notes:



Always check if your defined server responds to echo commands before using PING Reboot

function. Otherwise router keeps rebooting after unsuccessful PING echo receive. You can test

PING send

at “Network” > “Diagnostics”.

SMS Reboot

It is possible to reboot router via SMS text message. This function is useful when router does not respond and it is

difficult to manually restart router by hand.

Common configuration