include $(TOPDIR)/rules.mk
PKG_NAME:=base-files
-PKG_RELEASE:=7
+PKG_RELEASE:=8
PKG_BUILD_DIR:=$(BUILD_DIR)/base-files
include $(TOPDIR)/package/rules.mk
+++ /dev/null
-# RULE SYNTAX:
-#
-# forward:<match>:<target>[:<port>]
-# - forwards all packets matched by <match> to <target>,
-# optionally changing the port to <port>
-#
-# accept:<match>
-# - accepts all traffic matched by <match>
-#
-# drop:<match>
-# - drops all traffic matched by <match>
-#
-#
-# MATCHING OPTIONS:
-#
-# src=<ip>
-# - match the source ip <ip>
-#
-# dest=<ip>
-# - match the destination ip <ip>
-#
-# proto=<proto>
-# - match the protocol by name or number
-#
-# sport=<port(s)>
-# - match the source port(s), see below for syntax
-#
-# dport=<port(s)>
-# - match the destination port(s), see below for syntax
-#
-#
-#
-# PORT SYNTAX:
-#
-# You can enter an arbitrary list of ports and port ranges in the following format:
-# - 22,53,993,1000-1024
-#
-# If you don't set the protocol to tcp or udp, it will apply to both
-#
-#
-#
-# EXAMPLES:
-#
-# drop:dport=22 src=1.3.3.7
-# accept:proto=tcp dport=22
-# forward:dport=60168:192.168.1.2:60169
+++ /dev/null
-#!/bin/sh
-. /etc/functions.sh
-
-WAN=$(nvram get wan_ifname)
-LAN=$(nvram get lan_ifname)
-
-iptables -F input_rule
-iptables -F output_rule
-iptables -F forwarding_rule
-iptables -t nat -F prerouting_rule
-iptables -t nat -F postrouting_rule
-
-### BIG FAT DISCLAIMER
-## The "-i $WAN" is used to match packets that come in via the $WAN interface.
-## it WILL NOT MATCH packets sent from the $WAN ip address -- you won't be able
-## to see the effects from within the LAN.
-
-### Open port to WAN
-## -- This allows port 22 to be answered by (dropbear on) the router
-# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
-# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
-
-### Port forwarding
-## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
-# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
-# iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
-
-### DMZ
-## -- Connections to ports not handled above will be forwarded to 192.168.1.2
-# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
-# iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT
+++ /dev/null
-#!/bin/sh
-
-## Please make changes in /etc/firewall.user
-
-. /etc/functions.sh
-WAN=$(nvram get wan_ifname)
-LAN=$(nvram get lan_ifname)
-
-## CLEAR TABLES
-for T in filter nat; do
- iptables -t $T -F
- iptables -t $T -X
-done
-
-iptables -N input_rule
-iptables -N output_rule
-iptables -N forwarding_rule
-
-iptables -t nat -N prerouting_rule
-iptables -t nat -N postrouting_rule
-
-### INPUT
-### (connections with the router as destination)
-
- # base case
- iptables -P INPUT DROP
- iptables -A INPUT -m state --state INVALID -j DROP
- iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
-
- #
- # insert accept rule or to jump to new accept-check table here
- #
- iptables -A INPUT -j input_rule
-
- # allow
- iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
- iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
- iptables -A INPUT -p gre -j ACCEPT # allow GRE
-
- # reject (what to do with anything not allowed earlier)
- iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
- iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
-
-### OUTPUT
-### (connections with the router as source)
-
- # base case
- iptables -P OUTPUT DROP
- iptables -A OUTPUT -m state --state INVALID -j DROP
- iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
- #
- # insert accept rule or to jump to new accept-check table here
- #
- iptables -A OUTPUT -j output_rule
-
- # allow
- iptables -A OUTPUT -j ACCEPT #allow everything out
-
- # reject (what to do with anything not allowed earlier)
- iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
- iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-
-### FORWARDING
-### (connections routed through the router)
-
- # base case
- iptables -P FORWARD DROP
- iptables -A FORWARD -m state --state INVALID -j DROP
- iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-
- #
- # insert accept rule or to jump to new accept-check table here
- #
- iptables -A FORWARD -j forwarding_rule
-
- # allow
- iptables -A FORWARD -i br0 -o br0 -j ACCEPT
- iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
-
- # reject (what to do with anything not allowed earlier)
- # uses the default -P DROP
-
-### MASQ
- iptables -t nat -A PREROUTING -j prerouting_rule
- iptables -t nat -A POSTROUTING -j postrouting_rule
- iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
-
-## USER RULES
-[ -f /etc/firewall.user ] && . /etc/firewall.user
-[ -e /etc/config/firewall ] && {
- awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
-}
+++ /dev/null
-BEGIN {
- print "proto=\"$(nvram get wan_proto)\""
- print "[ -z \"$proto\" -o \"$proto\" = \"none\" ] && exit"
- print "ifname=\"$(nvram get wan_ifname)\""
- print "[ -z \"$ifname\" ] && exit"
- print ""
- print "iptables -X input_$ifname 2>&- >&-"
- print "iptables -N input_$ifname"
- print "iptables -X forward_$ifname 2>&- >&-"
- print "iptables -N forward_$ifname"
- print "iptables -t nat -X prerouting_$ifname 2>&- >&-"
- print "iptables -t nat -N prerouting_$ifname"
- print ""
- print "iptables -A input_rule -i \"$ifname\" -j input_$ifname"
- print "iptables -A forwarding_rule -i \"$ifname\" -j forward_$ifname"
- print "iptables -t nat -A prerouting_rule -i \"$ifname\" -j prerouting_$ifname"
- print ""
- FS=":"
-}
-
-($1 == "accept") || ($1 == "drop") || ($1 == "forward") {
- delete _opt
- str2data($2)
- if ((_l["proto"] == "") && (_l["sport"] _l["dport"] != "")) {
- _opt[0] = " -p tcp"
- _opt[1] = " -p udp"
- } else {
- _opt[0] = ""
- }
-}
-
-($1 == "accept") {
- target = " -j ACCEPT"
- for (o in _opt) {
- print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) target
- print "iptables -A input_$ifname " _opt[o] str2ipt($2) target
- print ""
- }
-}
-
-($1 == "drop") {
- for (o in _opt) {
- print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) " -j DROP"
- print ""
- }
-}
-
-($1 == "forward") {
- target = " -j DNAT --to " $3
- fwopts = ""
- if ($4 != "") {
- if ((_l["proto"] == "tcp") || (_l["proto"] == "udp") || (_l["proto"] == "")) {
- if (_l["proto"] != "") fwopts = " -p " _l["proto"]
- fwopts = fwopts " --dport " $4
- target = target ":" $4
- }
- else fwopts = ""
- }
- for (o in _opt) {
- print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) target
- print "iptables -A forward_$ifname " _opt[o] " -d " $3 fwopts " -j ACCEPT"
- print ""
- }
-}
-/etc/config/firewall
-/etc/firewall.user
/etc/group
/etc/hosts
/etc/ipkg.conf
PKG_NAME:=iptables
PKG_VERSION:=1.3.3
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_MD5SUM:=86d88455520cfdc56fd7ae27897a80a4
PKG_SOURCE_URL:=http://www.netfilter.org/files \
touch $@
$(IPKG_IPTABLES):
+ install -d -m0755 $(IDIR_IPTABLES)/etc/config
+ install -m0644 ./files/firewall.config $(IDIR_IPTABLES)/etc/config/firewall
+ install -d -m0755 $(IDIR_IPTABLES)/etc/init.d
+ install -m0755 ./files/firewall.init $(IDIR_IPTABLES)/etc/init.d/S45firewall
+ install -m0755 ./files/firewall.user $(IDIR_IPTABLES)/etc/
+ install -d -m0755 $(IDIR_IPTABLES)/usr/lib
+ install -m0644 ./files/firewall.awk $(IDIR_IPTABLES)/usr/lib
install -d -m0755 $(IDIR_IPTABLES)/usr/sbin
cp -fpR $(PKG_INSTALL_DIR)/usr/sbin/iptables $(IDIR_IPTABLES)/usr/sbin/
install -d -m0755 $(IDIR_IPTABLES)/usr/lib/iptables
--- /dev/null
+BEGIN {
+ print "proto=\"$(nvram get wan_proto)\""
+ print "[ -z \"$proto\" -o \"$proto\" = \"none\" ] && exit"
+ print "ifname=\"$(nvram get wan_ifname)\""
+ print "[ -z \"$ifname\" ] && exit"
+ print ""
+ print "iptables -X input_$ifname 2>&- >&-"
+ print "iptables -N input_$ifname"
+ print "iptables -X forward_$ifname 2>&- >&-"
+ print "iptables -N forward_$ifname"
+ print "iptables -t nat -X prerouting_$ifname 2>&- >&-"
+ print "iptables -t nat -N prerouting_$ifname"
+ print ""
+ print "iptables -A input_rule -i \"$ifname\" -j input_$ifname"
+ print "iptables -A forwarding_rule -i \"$ifname\" -j forward_$ifname"
+ print "iptables -t nat -A prerouting_rule -i \"$ifname\" -j prerouting_$ifname"
+ print ""
+ FS=":"
+}
+
+($1 == "accept") || ($1 == "drop") || ($1 == "forward") {
+ delete _opt
+ str2data($2)
+ if ((_l["proto"] == "") && (_l["sport"] _l["dport"] != "")) {
+ _opt[0] = " -p tcp"
+ _opt[1] = " -p udp"
+ } else {
+ _opt[0] = ""
+ }
+}
+
+($1 == "accept") {
+ target = " -j ACCEPT"
+ for (o in _opt) {
+ print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) target
+ print "iptables -A input_$ifname " _opt[o] str2ipt($2) target
+ print ""
+ }
+}
+
+($1 == "drop") {
+ for (o in _opt) {
+ print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) " -j DROP"
+ print ""
+ }
+}
+
+($1 == "forward") {
+ target = " -j DNAT --to " $3
+ fwopts = ""
+ if ($4 != "") {
+ if ((_l["proto"] == "tcp") || (_l["proto"] == "udp") || (_l["proto"] == "")) {
+ if (_l["proto"] != "") fwopts = " -p " _l["proto"]
+ fwopts = fwopts " --dport " $4
+ target = target ":" $4
+ }
+ else fwopts = ""
+ }
+ for (o in _opt) {
+ print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) target
+ print "iptables -A forward_$ifname " _opt[o] " -d " $3 fwopts " -j ACCEPT"
+ print ""
+ }
+}
--- /dev/null
+# RULE SYNTAX:
+#
+# forward:<match>:<target>[:<port>]
+# - forwards all packets matched by <match> to <target>,
+# optionally changing the port to <port>
+#
+# accept:<match>
+# - accepts all traffic matched by <match>
+#
+# drop:<match>
+# - drops all traffic matched by <match>
+#
+#
+# MATCHING OPTIONS:
+#
+# src=<ip>
+# - match the source ip <ip>
+#
+# dest=<ip>
+# - match the destination ip <ip>
+#
+# proto=<proto>
+# - match the protocol by name or number
+#
+# sport=<port(s)>
+# - match the source port(s), see below for syntax
+#
+# dport=<port(s)>
+# - match the destination port(s), see below for syntax
+#
+#
+#
+# PORT SYNTAX:
+#
+# You can enter an arbitrary list of ports and port ranges in the following format:
+# - 22,53,993,1000-1024
+#
+# If you don't set the protocol to tcp or udp, it will apply to both
+#
+#
+#
+# EXAMPLES:
+#
+# drop:dport=22 src=1.3.3.7
+# accept:proto=tcp dport=22
+# forward:dport=60168:192.168.1.2:60169
--- /dev/null
+#!/bin/sh
+
+## Please make changes in /etc/firewall.user
+
+. /etc/functions.sh
+WAN=$(nvram get wan_ifname)
+LAN=$(nvram get lan_ifname)
+
+## CLEAR TABLES
+for T in filter nat; do
+ iptables -t $T -F
+ iptables -t $T -X
+done
+
+iptables -N input_rule
+iptables -N output_rule
+iptables -N forwarding_rule
+
+iptables -t nat -N prerouting_rule
+iptables -t nat -N postrouting_rule
+
+### INPUT
+### (connections with the router as destination)
+
+ # base case
+ iptables -P INPUT DROP
+ iptables -A INPUT -m state --state INVALID -j DROP
+ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+ iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
+
+ #
+ # insert accept rule or to jump to new accept-check table here
+ #
+ iptables -A INPUT -j input_rule
+
+ # allow
+ iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
+ iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
+ iptables -A INPUT -p gre -j ACCEPT # allow GRE
+
+ # reject (what to do with anything not allowed earlier)
+ iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
+ iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
+
+### OUTPUT
+### (connections with the router as source)
+
+ # base case
+ iptables -P OUTPUT DROP
+ iptables -A OUTPUT -m state --state INVALID -j DROP
+ iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+ #
+ # insert accept rule or to jump to new accept-check table here
+ #
+ iptables -A OUTPUT -j output_rule
+
+ # allow
+ iptables -A OUTPUT -j ACCEPT #allow everything out
+
+ # reject (what to do with anything not allowed earlier)
+ iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
+ iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
+
+### FORWARDING
+### (connections routed through the router)
+
+ # base case
+ iptables -P FORWARD DROP
+ iptables -A FORWARD -m state --state INVALID -j DROP
+ iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+ #
+ # insert accept rule or to jump to new accept-check table here
+ #
+ iptables -A FORWARD -j forwarding_rule
+
+ # allow
+ iptables -A FORWARD -i br0 -o br0 -j ACCEPT
+ iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
+
+ # reject (what to do with anything not allowed earlier)
+ # uses the default -P DROP
+
+### MASQ
+ iptables -t nat -A PREROUTING -j prerouting_rule
+ iptables -t nat -A POSTROUTING -j postrouting_rule
+ iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
+
+## USER RULES
+[ -f /etc/firewall.user ] && . /etc/firewall.user
+[ -e /etc/config/firewall ] && {
+ awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
+}
--- /dev/null
+#!/bin/sh
+. /etc/functions.sh
+
+WAN=$(nvram get wan_ifname)
+LAN=$(nvram get lan_ifname)
+
+iptables -F input_rule
+iptables -F output_rule
+iptables -F forwarding_rule
+iptables -t nat -F prerouting_rule
+iptables -t nat -F postrouting_rule
+
+### BIG FAT DISCLAIMER
+## The "-i $WAN" is used to match packets that come in via the $WAN interface.
+## it WILL NOT MATCH packets sent from the $WAN ip address -- you won't be able
+## to see the effects from within the LAN.
+
+### Open port to WAN
+## -- This allows port 22 to be answered by (dropbear on) the router
+# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
+# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
+
+### Port forwarding
+## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
+# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
+# iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
+
+### DMZ
+## -- Connections to ports not handled above will be forwarded to 192.168.1.2
+# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
+# iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT
--- /dev/null
+/etc/config/firewall
+/etc/firewall.user
projects / openwrt / svn-archive / openwrt.git / commitdiff