Installing iptables on the MyBook World WDH1NC10000

Why ?

My motivation was, that I did not want the MBWE to be configurable from every host in my LAN, especially not from the router :-)

iptables and its libraries

I compiled the latest iptables version (1.4.6) and its libraries like this:

./configure --host=arm-linux-gnueabi --prefix=/ --libexecdir=/usr/lib/iptables

iptables and all its libraries are included in my .opk package (see below).
Please note that unlike optware I am NOT installing to /opt

Example iptable rules

export LAN="" export ADMINPC="" iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F iptables -X iptables -Z iptables -A INPUT -i lo -j ACCEPT # Allow administration from one PC iptables -A INPUT -p tcp -s $ADMINPC --dport 22 -j ACCEPT # ssh iptables -A INPUT -p tcp -s $ADMINPC --dport 80 -j ACCEPT # http iptables -A INPUT -p tcp -s $ADMINPC --dport 443 -j ACCEPT # https # Allow NFS from localnet iptables -A INPUT -p tcp -s $LAN --dport 111 -j ACCEPT # portmap iptables -A INPUT -p tcp -s $LAN --dport 2049 -j ACCEPT # nfs iptables -A INPUT -p tcp -s $LAN --dport 32767 -j ACCEPT # mountd

Kernel modules

You also need to compile all required kernel modules for iptables, as described in my short crosscompiling howto - some kernel modules for stateless filtering are included in my .opk archive though.

Stateful filtering relies on connection tracking, but this module won't load with the original kernel because of unresolved symbols.
Therefore, if you want to use stateful filtering, you also need to install a modified kernel, which clearly is an option for expert Linux users only (and is NOT included in the .opk archive below).


I made an opk archive containing some kernel modules, all required libraries and iptables-1.4.6. which can be found at my packages page.