briskgopesh · November 3, 2022 13:24 · Nov 18, 2021 · Nov 17, 2021 · Oct 11, 2021 · Oct 11, 2021
diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -103,13 +103,13 @@ Useful when you have a device behind the router and want to limit it's ability t
 
 ```sh
 # Block port 80 (http) only on ETH1 interface
-iptables -t mangle -A pre_nat -i eth1 -p tcp --dport 80 -j DROP
+iptables -t filter -A INPUT -i eth1 -p tcp --dport 80 -j DROP
 # Block port 443 (https) only on ETH1 interface
-iptables -t mangle -A pre_nat -i eth1 -p tcp --dport 80 -j DROP
+iptables -t filter -A INPUT -i eth1 -p tcp --dport 80 -j DROP
 # Block port 22 (ssh) only on ETH1 interface
-iptables -t mangle -A pre_nat -i eth1 -p tcp --dport 22 -j DROP
+iptables -t filter-A INPUT -i eth1 -p tcp --dport 22 -j DROP
 # Block ping (icmp) on ETH1 interface unit does not response to ping
-iptables -t mangle -A pre_nat -i eth1 -p icmp -j DROP
+iptables -t filter -A INPUT -i eth1 -p icmp -j DROP
 ```
 
 ## Check NAT table

diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -1,6 +1,12 @@
 ## Some examples of SNAT, DNAT with iptables with comments
 > mainly used in start-up script
 
+## How to test 'safely'
+When we play with iptables aka firewall we might end up in situation, where we execute rule, which has unforseen impact - lock yourself out. Recovering from this situation is necessity. 
+> **How to:** 
+> - Enable reboot via SMS.
+> - Test all commands in shell first before putting them into Start-up script. This way the command will be wiped out, when unit is rebooted.
+
 ### masquarade all outgoing packets to be WLAN0 IP
 ```sh
 iptables -t nat -A PREROUTING -s 192.168.1.2 -i eth0 -j MASQUERADE
@@ -90,6 +96,22 @@ iptables -I FORWARD -i eth0 -o usb0 -j DROP
 iptables -I FORWARD -d pool.ntp.org -i eth0 -o usb0 -j ACCEPT
 ```
 
+## Block traffic on ETH1 based on ports
+Useful when you have a device behind the router and want to limit it's ability to use/exploit resources on the router.
+> Use with caution as you can lock yourself out. 
+
+
+```sh
+# Block port 80 (http) only on ETH1 interface
+iptables -t mangle -A pre_nat -i eth1 -p tcp --dport 80 -j DROP
+# Block port 443 (https) only on ETH1 interface
+iptables -t mangle -A pre_nat -i eth1 -p tcp --dport 80 -j DROP
+# Block port 22 (ssh) only on ETH1 interface
+iptables -t mangle -A pre_nat -i eth1 -p tcp --dport 22 -j DROP
+# Block ping (icmp) on ETH1 interface unit does not response to ping
+iptables -t mangle -A pre_nat -i eth1 -p icmp -j DROP
+```
+
 ## Check NAT table
 The `iptables` table needs to be specified for listing. EG. `nat`, `mangle`.
 ```sh

diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -88,7 +88,6 @@ Order is **important** as the `DROP` will end up after allowing communication wi
 ```
 iptables -I FORWARD -i eth0 -o usb0 -j DROP
 iptables -I FORWARD -d pool.ntp.org -i eth0 -o usb0 -j ACCEPT
-
 ```
 
 ## Check NAT table

diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -82,8 +82,17 @@ echo $ip
 iptables -t nat -A POSTROUTING -o wlan1 -j SNAT --to $ip
 ```
 
-## Check NAT table
+## Block traffic from ETH0 to Cell except NTP
+Order is **important** as the `DROP` will end up after allowing communication with _NTP_ server. For that reason we need to `INSERT` the rules. If used `APPEND` the order of commands have to be reversed to ensure `DROP` is the last.
+
+```
+iptables -I FORWARD -i eth0 -o usb0 -j DROP
+iptables -I FORWARD -d pool.ntp.org -i eth0 -o usb0 -j ACCEPT
 
+```
+
+## Check NAT table
+The `iptables` table needs to be specified for listing. EG. `nat`, `mangle`.
 ```sh
 iptables -t nat -L -n -v
 ```

diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -2,10 +2,14 @@
 > mainly used in start-up script
 
 ### masquarade all outgoing packets to be WLAN0 IP
-```iptables -t nat -A PREROUTING -s 192.168.1.2 -i eth0 -j MASQUERADE```
+```sh
+iptables -t nat -A PREROUTING -s 192.168.1.2 -i eth0 -j MASQUERADE
+```
 
 #### All packets leaving eth0 will have src eth0 ip address
-```iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1```
+```sh
+iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1
+```
 
 ## Match rule specifying a source port
 > Below makes sure packets from Eth Devices have correct source IP Address
@@ -26,35 +30,43 @@ iptables -t nat -A PREROUTING -i wlan0 -d 10.1.1.9 -j DNAT --to-destination 192.
 ### Packets destined for IP 10.1.1.7 will be forwaded to 192.168.1.2 UDP,TCP
 > Does NOT work with ping (ICMP) correctly, does not handle ICMP protocol
 > WLAN IP reply on a ping without
-```
+```sh
 iptables -t nat -A PREROUTING -p tcp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
 iptables -t nat -A PREROUTING -p udp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
 ```
 
 ### Change SNMP port of outgoing SNMP messages
-```
+```sh
 iptables -t nat -A OUTPUT -p udp --dport 162 -j DNAT --to-destination 192.168.1.33:1162
 ```
 
 ### Add secondary IP to WLAN0
-```
+```sh
 ip addr add 10.1.1.7/24 dev wlan0
 ip addr add 10.1.1.9/24 dev wlan0
 ```
 ### List all IP addresses asign to wlan0
 ```ip add list dev wlan0```
 
 ### All packets leaving eth1 will change source IP to 192.168.20.1
-```iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.20.1```
+```sh
+iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.20.1
+```
 
 ### All TCP packets leaving eth1 on port 443 will change source IP to 192.168.20.1
-```iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p tcp --dport 443 -j SNAT --to 192.168.20.1:443```
+```sh
+iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p tcp --dport 443 -j SNAT --to 192.168.20.1:443
+```
 
 ### All ICMP packets leaving eth1 will change source IP to 192.168.20.1
-```iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p icmp -j SNAT --to 192.168.20.1```
+```sh
+iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p icmp -j SNAT --to 192.168.20.1
+```
 
 ### All supported packets leaving eth1 which have source IP 192.168.1.22 will change source IP to 192.168.20.1
-```iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT --to 192.168.20.1```
+```sh
+iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT --to 192.168.20.1
+```
 
 ## SNAT on dynamically assign interface
 

diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -33,7 +33,7 @@ iptables -t nat -A PREROUTING -p udp -i wlan0 -d 10.1.1.7 -j DNAT --to-destinati
 
 ### Change SNMP port of outgoing SNMP messages
 ```
-iptables -t nat -A OUTPUT --destination 192.168.1.33 -p tcp  --dport 162 -j DNAT --to-destination 192.168.1.33:1162
+iptables -t nat -A OUTPUT -p udp --dport 162 -j DNAT --to-destination 192.168.1.33:1162
 ```
 
 ### Add secondary IP to WLAN0

diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -31,6 +31,11 @@ iptables -t nat -A PREROUTING -p tcp -i wlan0 -d 10.1.1.7 -j DNAT --to-destinati
 iptables -t nat -A PREROUTING -p udp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
 ```
 
+### Change SNMP port of outgoing SNMP messages
+```
+iptables -t nat -A OUTPUT --destination 192.168.1.33 -p tcp  --dport 162 -j DNAT --to-destination 192.168.1.33:1162
+```
+
 ### Add secondary IP to WLAN0
 ```
 ip addr add 10.1.1.7/24 dev wlan0

diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -51,7 +51,7 @@ ip addr add 10.1.1.9/24 dev wlan0
 ### All supported packets leaving eth1 which have source IP 192.168.1.22 will change source IP to 192.168.20.1
 ```iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT --to 192.168.20.1```
 
-## SNAT on dynamiclly assign interface
+## SNAT on dynamically assign interface
 
 > usage with WIFI dual mode where WiFi can be AP and STA at the same time
 > add to **start-up script**

diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -65,4 +65,9 @@ echo $ip
 iptables -t nat -A POSTROUTING -o wlan1 -j SNAT --to $ip
 ```
 
-## 
+## Check NAT table
+
+```sh
+iptables -t nat -L -n -v
+```
+
diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -51,7 +51,7 @@ ip addr add 10.1.1.9/24 dev wlan0
 ### All supported packets leaving eth1 which have source IP 192.168.1.22 will change source IP to 192.168.20.1
 ```iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT --to 192.168.20.1```
 
-## SNAT on dynamicly assing interface
+## SNAT on dynamiclly assign interface
 
 > usage with WIFI dual mode where WiFi can be AP and STA at the same time
 > add to **start-up script**

diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -7,7 +7,7 @@
 #### All packets leaving eth0 will have src eth0 ip address
 ```iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1```
 
-## match rule specifying a source port
+## Match rule specifying a source port
 > Below makes sure packets from Eth Devices have correct source IP Address
 > Notice, when specifying a port, protocol needs to be specified as well
 ```sh
@@ -39,16 +39,16 @@ ip addr add 10.1.1.9/24 dev wlan0
 ### List all IP addresses asign to wlan0
 ```ip add list dev wlan0```
 
-### all packets leaving eth1 will change source IP to 192.168.20.1
+### All packets leaving eth1 will change source IP to 192.168.20.1
 ```iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.20.1```
 
-### all TCP packets leaving eth1 on port 443 will change source IP to 192.168.20.1
+### All TCP packets leaving eth1 on port 443 will change source IP to 192.168.20.1
 ```iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p tcp --dport 443 -j SNAT --to 192.168.20.1:443```
 
-### all ICMP packets leaving eth1 will change source IP to 192.168.20.1
+### All ICMP packets leaving eth1 will change source IP to 192.168.20.1
 ```iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p icmp -j SNAT --to 192.168.20.1```
 
-### all supported packets leaving eth1 which have source IP 192.168.1.22 will change source IP to 192.168.20.1
+### All supported packets leaving eth1 which have source IP 192.168.1.22 will change source IP to 192.168.20.1
 ```iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT --to 192.168.20.1```
 
 ## SNAT on dynamicly assing interface

diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -10,7 +10,7 @@
 ## match rule specifying a source port
 > Below makes sure packets from Eth Devices have correct source IP Address
 > Notice, when specifying a port, protocol needs to be specified as well
-```
+```sh
 iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.2 -p udp --dport 16020 -j SNAT --to 10.1.1.7:51889
 iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.2 -p tcp --dport 21 -j SNAT --to 10.1.1.7:21
 iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.3 -j SNAT --to 10.1.1.9

diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -7,47 +7,54 @@
 #### All packets leaving eth0 will have src eth0 ip address
 ```iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1```
 
-# match rule specifying a source port
-# Below makes sure packets from Eth Devices have correct source IP Address
-# Notice, when specifying a port, protocol needs to be specified as well
+## match rule specifying a source port
+> Below makes sure packets from Eth Devices have correct source IP Address
+> Notice, when specifying a port, protocol needs to be specified as well
+```
 iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.2 -p udp --dport 16020 -j SNAT --to 10.1.1.7:51889
 iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.2 -p tcp --dport 21 -j SNAT --to 10.1.1.7:21
 iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.3 -j SNAT --to 10.1.1.9
 
+
 # Packets destined for IP 10.1.1.7 will be forwaded to 192.168.1.2 UDP,TCP
 # Packets destined for IP 10.1.1.9 will be forwaded to 192.168.1.3 UDP,TCP
 # Does work with ping (ICMP) correctly
 iptables -t nat -A PREROUTING -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
 iptables -t nat -A PREROUTING -i wlan0 -d 10.1.1.9 -j DNAT --to-destination 192.168.1.3
+```
 
-# Packets destined for IP 10.1.1.7 will be forwaded to 192.168.1.2 UDP,TCP
-# Does NOT work with ping (ICMP) correctly, does not handle ICMP protocol
-# WLAN IP reply on a ping without
+### Packets destined for IP 10.1.1.7 will be forwaded to 192.168.1.2 UDP,TCP
+> Does NOT work with ping (ICMP) correctly, does not handle ICMP protocol
+> WLAN IP reply on a ping without
+```
 iptables -t nat -A PREROUTING -p tcp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
 iptables -t nat -A PREROUTING -p udp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
+```
 
-# Add secondary IP to WLAN0
+### Add secondary IP to WLAN0
+```
 ip addr add 10.1.1.7/24 dev wlan0
 ip addr add 10.1.1.9/24 dev wlan0
-# List all IP addresses asign to wlan0
-ip add list dev wlan0
+```
+### List all IP addresses asign to wlan0
+```ip add list dev wlan0```
 
-# all packets leaving eth1 will change source IP to 192.168.20.1
-iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.20.1
+### all packets leaving eth1 will change source IP to 192.168.20.1
+```iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.20.1```
 
-# all TCP packets leaving eth1 on port 443 will change source IP to 192.168.20.1
-iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p tcp --dport 443 -j SNAT --to 192.168.20.1:443
+### all TCP packets leaving eth1 on port 443 will change source IP to 192.168.20.1
+```iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p tcp --dport 443 -j SNAT --to 192.168.20.1:443```
 
-# all ICMP packets leaving eth1 will change source IP to 192.168.20.1
-iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p icmp -j SNAT --to 192.168.20.1
+### all ICMP packets leaving eth1 will change source IP to 192.168.20.1
+```iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p icmp -j SNAT --to 192.168.20.1```
 
-# all supported packets leaving eth1 which have source IP 192.168.1.22 will change source IP to 192.168.20.1
-iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT --to 192.168.20.1
+### all supported packets leaving eth1 which have source IP 192.168.1.22 will change source IP to 192.168.20.1
+```iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT --to 192.168.20.1```
 
 ## SNAT on dynamicly assing interface
 
 > usage with WIFI dual mode where WiFi can be AP and STA at the same time
-
+> add to **start-up script**
 ```sh
 # assuming wlan1 is STA interface
 ip=$(ip -o addr show up primary scope global wlan1 |

diff --git a/snat_dnat_advantech.md b/snat_dnat_advantech.md
@@ -1,11 +1,11 @@
-# some examples of SNAT, DNAT with iptables with comments:
-# mainly used in start-up script
+## Some examples of SNAT, DNAT with iptables with comments
+> mainly used in start-up script
 
-# masquarade all outgoing packets to be WLAN0 IP
-iptables -t nat -A PREROUTING -s 192.168.1.2 -i eth0 -j MASQUERADE
+### masquarade all outgoing packets to be WLAN0 IP
+```iptables -t nat -A PREROUTING -s 192.168.1.2 -i eth0 -j MASQUERADE```
 
-# All packets leaving eth0 will have src eth0 ip address
-iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1
+#### All packets leaving eth0 will have src eth0 ip address
+```iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1```
 
 # match rule specifying a source port
 # Below makes sure packets from Eth Devices have correct source IP Address

diff --git a/snat_dnat_advantech.sh → snat_dnat_advantech.md b/snat_dnat_advantech.sh → snat_dnat_advantech.md
@@ -42,4 +42,20 @@ iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p tcp --dport 443 -j SNA
 iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p icmp -j SNAT --to 192.168.20.1
 
 # all supported packets leaving eth1 which have source IP 192.168.1.22 will change source IP to 192.168.20.1
-iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT --to 192.168.20.1
+iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT --to 192.168.20.1
+
+## SNAT on dynamicly assing interface
+
+> usage with WIFI dual mode where WiFi can be AP and STA at the same time
+
+```sh
+# assuming wlan1 is STA interface
+ip=$(ip -o addr show up primary scope global wlan1 |
+      while read -r num dev fam addr rest; do echo ${addr%/*}; done)
+echo $ip
+
+# all packets leaving wlan1 will change source IP to STA interface IP
+iptables -t nat -A POSTROUTING -o wlan1 -j SNAT --to $ip
+```
+
+## 
diff --git a/gistfile1.sh → snat_dnat_advantech.sh b/gistfile1.sh → snat_dnat_advantech.sh
@@ -30,4 +30,16 @@ iptables -t nat -A PREROUTING -p udp -i wlan0 -d 10.1.1.7 -j DNAT --to-destinati
 ip addr add 10.1.1.7/24 dev wlan0
 ip addr add 10.1.1.9/24 dev wlan0
 # List all IP addresses asign to wlan0
-ip add list dev wlan0
+ip add list dev wlan0
+
+# all packets leaving eth1 will change source IP to 192.168.20.1
+iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.20.1
+
+# all TCP packets leaving eth1 on port 443 will change source IP to 192.168.20.1
+iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p tcp --dport 443 -j SNAT --to 192.168.20.1:443
+
+# all ICMP packets leaving eth1 will change source IP to 192.168.20.1
+iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p icmp -j SNAT --to 192.168.20.1
+
+# all supported packets leaving eth1 which have source IP 192.168.1.22 will change source IP to 192.168.20.1
+iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT --to 192.168.20.1
diff --git a/gistfile1.sh b/gistfile1.sh
@@ -0,0 +1,33 @@
+# some examples of SNAT, DNAT with iptables with comments:
+# mainly used in start-up script
+
+# masquarade all outgoing packets to be WLAN0 IP
+iptables -t nat -A PREROUTING -s 192.168.1.2 -i eth0 -j MASQUERADE
+
+# All packets leaving eth0 will have src eth0 ip address
+iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1
+
+# match rule specifying a source port
+# Below makes sure packets from Eth Devices have correct source IP Address
+# Notice, when specifying a port, protocol needs to be specified as well
+iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.2 -p udp --dport 16020 -j SNAT --to 10.1.1.7:51889
+iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.2 -p tcp --dport 21 -j SNAT --to 10.1.1.7:21
+iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.3 -j SNAT --to 10.1.1.9
+
+# Packets destined for IP 10.1.1.7 will be forwaded to 192.168.1.2 UDP,TCP
+# Packets destined for IP 10.1.1.9 will be forwaded to 192.168.1.3 UDP,TCP
+# Does work with ping (ICMP) correctly
+iptables -t nat -A PREROUTING -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
+iptables -t nat -A PREROUTING -i wlan0 -d 10.1.1.9 -j DNAT --to-destination 192.168.1.3
+
+# Packets destined for IP 10.1.1.7 will be forwaded to 192.168.1.2 UDP,TCP
+# Does NOT work with ping (ICMP) correctly, does not handle ICMP protocol
+# WLAN IP reply on a ping without
+iptables -t nat -A PREROUTING -p tcp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
+iptables -t nat -A PREROUTING -p udp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
+
+# Add secondary IP to WLAN0
+ip addr add 10.1.1.7/24 dev wlan0
+ip addr add 10.1.1.9/24 dev wlan0
+# List all IP addresses asign to wlan0
+ip add list dev wlan0