#!/bin/sh /etc/rc.common # Copyright (C) 2006 OpenWrt.org ## Please make changes in /etc/firewall.user START=45 start() { include /lib/network scan_interfaces config_load /var/state/network config_get WAN wan ifname config_get WANDEV wan device config_get LAN lan ifname ## CLEAR TABLES for T in filter nat; do iptables -t $T -F iptables -t $T -X done iptables -N input_rule iptables -N input_wan iptables -N output_rule iptables -N forwarding_rule iptables -N forwarding_wan iptables -t nat -N NEW iptables -t nat -N prerouting_rule iptables -t nat -N prerouting_wan iptables -t nat -N postrouting_rule iptables -N LAN_ACCEPT [ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN [ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN iptables -A LAN_ACCEPT -j ACCEPT ### INPUT ### (connections with the router as destination) # base case iptables -P INPUT DROP iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP # # insert accept rule or to jump to new accept-check table here # iptables -A INPUT -j input_rule [ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan # allow iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces iptables -A INPUT -p icmp -j ACCEPT # allow ICMP iptables -A INPUT -p gre -j ACCEPT # allow GRE # reject (what to do with anything not allowed earlier) iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable ### OUTPUT ### (connections with the router as source) # base case iptables -P OUTPUT DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # # insert accept rule or to jump to new accept-check table here # iptables -A OUTPUT -j output_rule # allow iptables -A OUTPUT -j ACCEPT #allow everything out # reject (what to do with anything not allowed earlier) iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable ### FORWARDING ### (connections routed through the router) # base case iptables -P FORWARD DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # # insert accept rule or to jump to new accept-check table here # iptables -A FORWARD -j forwarding_rule [ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan # allow iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT # reject (what to do with anything not allowed earlier) # uses the default -P DROP ### MASQ iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW iptables -t nat -A PREROUTING -j prerouting_rule [ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan iptables -t nat -A POSTROUTING -j postrouting_rule ### Only RFC1918 addresses [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src 192.168.0.0/16 -o $WAN -j MASQUERADE [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src 172.16.0.0/12 -o $WAN -j MASQUERADE [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src 10.0.0.0/8 -o $WAN -j MASQUERADE iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \ iptables -t nat -A NEW -j DROP ## USER RULES [ -f /etc/firewall.user ] && . /etc/firewall.user [ -n "$WAN" -a -e /etc/config/firewall ] && { export WAN awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash } } stop() { iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -X iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -F iptables -t nat -X }