kernel configuration of gb7252 (gbquad4k|gbue4k) and gbmv200(gbtrio4k|...) got reworked in OE-A 4.3 to support iptables for ipv4 and ipv6 - see below a quick example:
IPV4
Code
- root@gbquad4k:~# iptables -L -nv
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 4972 1063K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 367 27328 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
- 10 520 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
- 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 28 7152 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 7385 6576K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
- root@gbquad4k:~#
- root@gbquad4k:~# iptables-save
- # Generated by iptables-save v1.6.2 on Sun Sep 1 17:50:42 2019
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -j DROP
- -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A OUTPUT -o lo -j ACCEPT
- COMMIT
- # Completed on Sun Sep 1 17:50:42 2019
IPV6
Code
- root@gbquad4k:~# ip6tables -L -nv
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 12 1824 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:22
- 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
- 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443
- 0 0 ACCEPT all lo * ::/0 ::/0
- 2 922 DROP all * * ::/0 ::/0
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 1 packets, 117 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT all * lo ::/0 ::/0
- root@gbquad4k:~#
- root@gbquad4k:~# ip6tables-save
- # Generated by ip6tables-save v1.6.2 on Sun Sep 1 17:50:51 2019
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [1:117]
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -j DROP
- -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A OUTPUT -o lo -j ACCEPT
- COMMIT
- # Completed on Sun Sep 1 17:50:51 2019
Depending on rules you want to define (e.g. tcp, stat) you need to install the required kernel-modules - example from above:
Code
- root@gbquad4k:~# lsmod | grep -E "^ip|^^xt|^nf"
- nf_conntrack_ipv6 7970 3
- nf_defrag_ipv6 16542 1 nf_conntrack_ipv6
- ip6table_filter 859 1
- ip6_tables 10196 1 ip6table_filter
- nf_conntrack_ipv4 7603 2
- nf_defrag_ipv4 1175 1 nf_conntrack_ipv4
- xt_state 909 5
- nf_conntrack 60046 3 xt_state,nf_conntrack_ipv4,nf_conntrack_ipv6
- xt_tcpudp 2629 6
- iptable_filter 912 1
- ip_tables 10917 1 iptable_filter
- root@gbquad4k:~#
Available kernel-modules (extract):
Code
- root@gbquad4k:~# opkg list | grep -E "^kernel-module-ip-table|^kernel-module-ip6-table|^kernel-module-x-|^kernel-module-xt-|^kernel-module-nf-"
- kernel-module-ip-tables-4.1.20-1.9 - 4.1.20-r10 - ip-tables kernel module
- kernel-module-ip6-tables-4.1.20-1.9 - 4.1.20-r10 - ip6-tables kernel module
- kernel-module-nf-conntrack-4.1.20-1.9 - 4.1.20-r10 - nf-conntrack kernel module
- kernel-module-nf-conntrack-broadcast-4.1.20-1.9 - 4.1.20-r10 - nf-conntrack-broadcast kernel module
- kernel-module-nf-conntrack-ftp-4.1.20-1.9 - 4.1.20-r10 - nf-conntrack-ftp kernel module
- kernel-module-nf-conntrack-ipv4-4.1.20-1.9 - 4.1.20-r10 - nf-conntrack-ipv4 kernel module
- kernel-module-nf-conntrack-ipv6-4.1.20-1.9 - 4.1.20-r10 - nf-conntrack-ipv6 kernel module
- kernel-module-nf-conntrack-irc-4.1.20-1.9 - 4.1.20-r10 - nf-conntrack-irc kernel module
- kernel-module-nf-conntrack-netbios-ns-4.1.20-1.9 - 4.1.20-r10 - nf-conntrack-netbios-ns kernel module
- kernel-module-nf-conntrack-netlink-4.1.20-1.9 - 4.1.20-r10 - nf-conntrack-netlink kernel module
- kernel-module-nf-conntrack-sip-4.1.20-1.9 - 4.1.20-r10 - nf-conntrack-sip kernel module
- kernel-module-nf-defrag-ipv4-4.1.20-1.9 - 4.1.20-r10 - nf-defrag-ipv4 kernel module
- kernel-module-nf-defrag-ipv6-4.1.20-1.9 - 4.1.20-r10 - nf-defrag-ipv6 kernel module
- kernel-module-nf-log-common-4.1.20-1.9 - 4.1.20-r10 - nf-log-common kernel module
- kernel-module-nf-log-ipv4-4.1.20-1.9 - 4.1.20-r10 - nf-log-ipv4 kernel module
- kernel-module-nf-log-ipv6-4.1.20-1.9 - 4.1.20-r10 - nf-log-ipv6 kernel module
- kernel-module-nf-nat-4.1.20-1.9 - 4.1.20-r10 - nf-nat kernel module
- kernel-module-nf-nat-ftp-4.1.20-1.9 - 4.1.20-r10 - nf-nat-ftp kernel module
- kernel-module-nf-nat-ipv4-4.1.20-1.9 - 4.1.20-r10 - nf-nat-ipv4 kernel module
- kernel-module-nf-nat-ipv6-4.1.20-1.9 - 4.1.20-r10 - nf-nat-ipv6 kernel module
- kernel-module-nf-nat-irc-4.1.20-1.9 - 4.1.20-r10 - nf-nat-irc kernel module
- kernel-module-nf-nat-masquerade-ipv4-4.1.20-1.9 - 4.1.20-r10 - nf-nat-masquerade-ipv4 kernel module
- kernel-module-nf-nat-masquerade-ipv6-4.1.20-1.9 - 4.1.20-r10 - nf-nat-masquerade-ipv6 kernel module
- kernel-module-nf-nat-redirect-4.1.20-1.9 - 4.1.20-r10 - nf-nat-redirect kernel module
- kernel-module-nf-nat-sip-4.1.20-1.9 - 4.1.20-r10 - nf-nat-sip kernel module
- kernel-module-nf-reject-ipv4-4.1.20-1.9 - 4.1.20-r10 - nf-reject-ipv4 kernel module
- kernel-module-nf-reject-ipv6-4.1.20-1.9 - 4.1.20-r10 - nf-reject-ipv6 kernel module
- kernel-module-nf-tables-4.1.20-1.9 - 4.1.20-r10 - nf-tables kernel module
- kernel-module-nf-tables-inet-4.1.20-1.9 - 4.1.20-r10 - nf-tables-inet kernel module
- kernel-module-nf-tables-ipv4-4.1.20-1.9 - 4.1.20-r10 - nf-tables-ipv4 kernel module
- kernel-module-nf-tables-ipv6-4.1.20-1.9 - 4.1.20-r10 - nf-tables-ipv6 kernel module
- kernel-module-x-tables-4.1.20-1.9 - 4.1.20-r10 - x-tables kernel module
- kernel-module-xt-classify-4.1.20-1.9 - 4.1.20-r10 - xt-classify kernel module
- kernel-module-xt-comment-4.1.20-1.9 - 4.1.20-r10 - xt-comment kernel module
- kernel-module-xt-connbytes-4.1.20-1.9 - 4.1.20-r10 - xt-connbytes kernel module
- kernel-module-xt-connlimit-4.1.20-1.9 - 4.1.20-r10 - xt-connlimit kernel module
- kernel-module-xt-connmark-4.1.20-1.9 - 4.1.20-r10 - xt-connmark kernel module
- kernel-module-xt-conntrack-4.1.20-1.9 - 4.1.20-r10 - xt-conntrack kernel module
- kernel-module-xt-dscp-4.1.20-1.9 - 4.1.20-r10 - xt-dscp kernel module
- kernel-module-xt-ecn-4.1.20-1.9 - 4.1.20-r10 - xt-ecn kernel module
- kernel-module-xt-esp-4.1.20-1.9 - 4.1.20-r10 - xt-esp kernel module
- kernel-module-xt-helper-4.1.20-1.9 - 4.1.20-r10 - xt-helper kernel module
- kernel-module-xt-hl-4.1.20-1.9 - 4.1.20-r10 - xt-hl kernel module
- kernel-module-xt-length-4.1.20-1.9 - 4.1.20-r10 - xt-length kernel module
- kernel-module-xt-limit-4.1.20-1.9 - 4.1.20-r10 - xt-limit kernel module
- kernel-module-xt-log-4.1.20-1.9 - 4.1.20-r10 - xt-log kernel module
- kernel-module-xt-mac-4.1.20-1.9 - 4.1.20-r10 - xt-mac kernel module
- kernel-module-xt-mark-4.1.20-1.9 - 4.1.20-r10 - xt-mark kernel module
- kernel-module-xt-multiport-4.1.20-1.9 - 4.1.20-r10 - xt-multiport kernel module
- kernel-module-xt-nat-4.1.20-1.9 - 4.1.20-r10 - xt-nat kernel module
- kernel-module-xt-netmap-4.1.20-1.9 - 4.1.20-r10 - xt-netmap kernel module
- kernel-module-xt-policy-4.1.20-1.9 - 4.1.20-r10 - xt-policy kernel module
- kernel-module-xt-recent-4.1.20-1.9 - 4.1.20-r10 - xt-recent kernel module
- kernel-module-xt-redirect-4.1.20-1.9 - 4.1.20-r10 - xt-redirect kernel module
- kernel-module-xt-set-4.1.20-1.9 - 4.1.20-r10 - xt-set kernel module
- kernel-module-xt-state-4.1.20-1.9 - 4.1.20-r10 - xt-state kernel module
- kernel-module-xt-statistic-4.1.20-1.9 - 4.1.20-r10 - xt-statistic kernel module
- kernel-module-xt-tcpmss-4.1.20-1.9 - 4.1.20-r10 - xt-tcpmss kernel module
- kernel-module-xt-tcpudp-4.1.20-1.9 - 4.1.20-r10 - xt-tcpudp kernel module
- kernel-module-xt-time-4.1.20-1.9 - 4.1.20-r10 - xt-time kernel module
- root@gbquad4k:~#