Overview

This guide provides instructions for network administrators who need to implement specific network access policies that are not covered by the standard firewall settings on a Robustel gateway. If you need to create advanced, customized firewall rules—such as allowing or blocking traffic from specific IP addresses or ports using iptables syntax—this can be accomplished through the Command Line Interface (CLI) of RobustOS. This method offers granular control over network traffic for enhanced security.

What You'll Need

To ensure a smooth configuration process, please have the following ready before you begin:

Hardware List:

• 1 x Robustel Gateway (e.g.,R1520, etc.) running RobustOS
• 1 x Ethernet cable or console cable for CLI access
• 1 x PC for accessing the gateway's CLI

Software/Firmware:

• RobustOS firmware that supports CLI commands.
• A terminal emulation application (e.g., PuTTY, Tera Term) for SSH or serial connection.

Other Considerations:

• Basic knowledge of iptables syntax is highly recommended, as incorrect rules can disrupt network connectivity.
• Ensure you have administrator access credentials for the gateway's CLI.
• Do not reboot the device until you have saved the configuration, or your changes will be lost.

Step-by-Step Configuration Guide

This process is divided into two main stages: creating a rule entry and defining its content.

Step 1: Add a New Firewall Rule Entry

First, you need to create a placeholder for your new custom rule in the firewall's custom list. Each rule requires a unique index number.

1. Access your gateway's CLI via SSH or a serial connection.
2. Enter the following command to create a new rule entry. In this example, we use 1 as the index number. If index 1 is already in use, choose another number (e.g., 2, 3).

add firewall custom_list 1

You should see a confirmation message, similar to this:

OK

Step 2: Configure the Rule's Content and Description

Once the entry is created, you need to define the actual iptables rule that will be executed.

1. Use the set firewall custom_list command to define the rule. The rule itself must be enclosed in double quotes (") and follow standard iptables syntax. For this example, we will create a rule to accept all incoming traffic from the IP address 192.168.1.100. The -I INPUT argument inserts the rule at the beginning of the INPUT chain.

set firewall custom_list 1 rule "-I INPUT -s 192.168.1.100 -j ACCEPT"

2. (Optional but Recommended) Add a description to the rule to easily identify its purpose later.

set firewall custom_list 1 desc "Allow My PC"

Step 3: Save and Apply the Configuration

Your changes are staged but will not take effect until you save and apply them to the system's running configuration. This is a critical final step.

1. Execute the following command:

config save_and_apply

2. The system will process the changes and apply the new firewall rule. This may take a few moments.
   

Verification & Testing

After applying the configuration, you should verify that the rule is active and functioning as intended.

1. Check the Configuration: Use the show firewall custom_list command to display all configured custom rules.

show firewall custom_list

The output should display the rule you just created, as shown in the example screenshot below. Look for your rule's index, description, and content.

(Screenshot showing the output of the show firewall custom_list command with the newly created rule highlighted in a red box.)

+---------+----------------------------------------------------+---------------+
| list_id | rule                                               | desc          |
+---------+----------------------------------------------------+---------------+
| 1       | -I INPUT -s 192.168.1.100 -j ACCEPT                | Allow My PC   |
+---------+----------------------------------------------------+---------------+

2. Functional Test: To test the rule, try to access the gateway (e.g., via SSH or its web interface) from the allowed IP address (192.168.1.100). The connection should be successful. Then, try accessing it from a different IP address that is not covered by any other allow rule; the connection should be blocked.

Troubleshooting / FAQ

Q1: I added the rule, but it doesn't seem to be working.

A1:

• Did you save and apply? Ensure you executed the config save_and_apply command after setting the rule. Without it, the changes are not activated.
• Is the syntax correct? Double-check your iptables rule syntax. It must be 100% correct. You can refer to online iptables documentation for assistance.
• Rule Order:iptables rules are processed in order. If a more general DROP rule comes before your specific ACCEPT rule in the chain, your rule may never be reached. Using -I (insert) instead of -A (append) places your rule at the top of the chain, which is often a good strategy for testing.

Q2: How can I delete a custom rule?

A2: Use the del firewall custom_list <list_id> command, replacing <list_id> with the index number of the rule you want to remove. For example, to delete the rule we created:

del firewall custom_list 1

Remember to run config save_and_apply afterward to make the deletion effective.

Q3: How do I see all the custom rules I have created?

A3: Use the show firewall custom_list command. This will display a table of all currently configured custom firewall rules along with their index numbers, content, and descriptions.

Q4: Can I edit an existing rule?

A4: Yes. You can simply use the set firewall custom_list <list_id> rule "..." command again with the same index number but a new rule string. This will overwrite the previous rule content. Don't forget to config save_and_apply.

Revision History