-
downloaded (https://downloads.openwrt.org/snapshots/targets/brcm2708/bcm2710/openwrt-brcm2708-bcm2710-rpi-3-ext4-factory.img.gz) and set up SD card
-
modify /etc/network to set ip address, gateway, dns
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.1.39'
option netmask '255.255.255.0'
#option ip6assign '60'
option gateway '192.168.1.2'
option dns '192.168.1.14'
-
Modify /etc/config/firewall to allow ssh in
-
Set /etc/dropbear/authorized_keys
-
boot with SD, login with ssh
-
Set root password or prevent root login
opkg update
opkg install nano
opkg install tree
opkg install openssh-sftp-server
With openssh-sftp-server
installed on operwrt, you can mount the openwrt filesystem from your work pc to edit files easily.
sshfs root@rpi-owrt:/ ~/sshfs/rpi-owrt
emacs ~/sshfs/rpi-owrt/etc/nftables.conf
- Switch to nftables Note: The firewall will be dropped during the transition causing a security risk. If you can in advance pre-cache the necessary files for installation the you may be able to complete this step wiht a private lan cable between your work pc and the rpi.
Remove all packages kmod-nf*
and kmod-ip
and force removal of all their dependencies.
opkg list-installed | grep -e kmod-nf -e kmod-ip | while read m x ; do opkg --force-removal-of-dependent-packages remove $m ; done
Remove all modules ip*
. May require several iterations.
lsmod | grep -e "^ip" | while read m xx ; do echo "--------- $m " ; rmmod $m ; done
Install or reinstall all packages kmod-nf*
. Requires a sleep
. Make sure they are ALL installed - if necessary use multiple iterations.
# opkg list | grep -e kmod-nf | while read m xx ; do echo ":::: $m ::::" ; sleep 1 ; opkg install $m ; done
- Nft firewall
Set up a simple
/etc/nftables.conf
- don't forget to allow yourself to ssh in. Load with
# nft -f /etc/nftables.conf
- Service to load
nftable.conf
at boot
10.a.
Set up a service /etc/init.d/nft-fw
to take the place of /etc/init.d/firewall
which was automatically removed when iptables
was removed.
#!/bin/sh /etc/rc.common
# /etc/init.d/nft-fw - adapted from /etc/init.d/firewall
START=19
USE_PROCD=1
QUIET=""
# validate_firewall_redirect()
# {
# uci_validate_section firewall redirect "${1}" \
# 'proto:or(uinteger, string)' \
# 'src:string' \
# 'src_ip:cidr' \
# 'src_dport:or(port, portrange)' \
# 'dest:string' \
# 'dest_ip:cidr' \
# 'dest_port:or(port, portrange)' \
# 'target:or("SNAT", "DNAT")'
# }
# validate_firewall_rule()
# {
# uci_validate_section firewall rule "${1}" \
# 'proto:or(uinteger, string)' \
# 'src:string' \
# 'dest:string' \
# 'src_port:or(port, portrange)' \
# 'dest_port:or(port, portrange)' \
# 'target:string'
# }
# service_triggers() {
# procd_add_reload_trigger firewall
# procd_open_validate
# validate_firewall_redirect
# validate_firewall_rule
# procd_close_validate
# }
restart() {
# fw3 restart
nft flush ruleset
nft -f /etc/nftable.conf
}
start_service() {
#fw3 ${QUIET} start
restart
}
stop_service() {
#fw3 flush
nft flush ruleset
}
reload_service() {
#fw3 reload
restart
}
boot() {
## Be silent on boot, firewall might be started by hotplug already,
## so don't complain in syslog.
#QUIET=-q
#start
restart
}
# start() didn't exist in the fw3 original
start() {
restart
}
10.b.
# ln -s /etc/init.d/nft-wf /etc/rc.init/S19nft-fw
10.c.
# service nft-fw enable
- Check modules and packages for
*ipt*
root@OpenWrt:~# lsmod | grep -e ipt
ip_tables 24576 3 iptable_raw,iptable_mangle,iptable_filter
ipt_REJECT 16384 0
iptable_filter 16384 0
iptable_mangle 16384 0
iptable_raw 16384 0
nf_reject_ipv4 16384 4 nft_reject_ipv4,nft_reject_inet,nft_reject_bridge,ipt_REJECT
x_tables 24576 18 iptable_raw,iptable_mangle,iptable_filter,ipt_REJECT,ip6_tables,ip_tables,xt_time,xt_tcpudp,xt_state,xt_multiport,xt_mark,xt_mac,xt_limit,xt_conntrack,xt_comment,xt_TCPMSS,xt_LOG,xt_CT
root@OpenWrt:~# opkg list installed | grep -e ipt
root@OpenWrt:~# rmmod iptable_raw
root@OpenWrt:~# rmmod iptable_mangle
root@OpenWrt:~# rmmod iptable_filter
root@OpenWrt:~# rmmod ip_tables
root@OpenWrt:~# for m in iptable_raw iptable_mangle iptable_filter ipt_REJECT ip6_tables ip_tables xt
_time xt_tcpudp xt_state xt_multiport xt_mark xt_mac xt_limit xt_conntrack xt_comment xt_TCPMSS xt_LO
G xt_CT ; do echo $m ; rmmod $m ; done
...
root@OpenWrt:~# rmmod x_tables