2 # Copyright (C) 2008 John Crispin <blogic@openwrt.org>
6 IPTABLES
="echo iptables"
17 ZONE_LIST
=$CONFIG_SECTION
25 config_get input
$1 input
26 config_get output
$1 output
27 config_get forward
$1 forward
29 DEF_INPUT
="${input:-$DEF_INPUT}"
30 DEF_OUTPUT
="${output:-$DEF_OUTPUT}"
31 DEF_FORWARD
="${forward:-$DEF_FORWARD}"
37 [ "$1" == "loopback" ] && return
39 config_get exists
$ZONE_LIST $1
40 [ -n "$exists" ] && return
41 config_set
$ZONE_LIST $1 1
44 $IPTABLES -N zone_
$1_MSSFIX
45 $IPTABLES -N zone_
$1_ACCEPT
46 $IPTABLES -N zone_
$1_DROP
47 $IPTABLES -N zone_
$1_REJECT
48 $IPTABLES -N zone_
$1_forward
49 $IPTABLES -A zone_
$1_forward -j zone_
$1_$5
50 $IPTABLES -A zone_
$1 -j zone_
$1_$3
51 $IPTABLES -A output
-j zone_
$1_$4
52 $IPTABLES -N zone_
$1_nat -t nat
53 $IPTABLES -N zone_
$1_prerouting -t nat
54 [ "$6" == "1" ] && $IPTABLES -t nat
-A POSTROUTING
-j zone_
$1_nat
63 config_get n_if core
"${network}_ifname"
64 config_get n_zone core
"${network}_zone"
66 if [ "$n_zone" != "$zone" ]; then
67 delif
"$network" "$n_if" "$n_zone"
73 logger
"adding $network ($ifname) to firewall zone $zone"
74 $IPTABLES -A input
-i "$ifname" -j zone_
${zone}
75 $IPTABLES -I zone_
${zone}_MSSFIX
1 -o "$ifname" -p tcp
--tcp-flags SYN
,RST SYN
-j TCPMSS
--clamp-mss-to-pmtu
76 $IPTABLES -I zone_
${zone}_ACCEPT
1 -o "$ifname" -j ACCEPT
77 $IPTABLES -I zone_
${zone}_DROP
1 -o "$ifname" -j DROP
78 $IPTABLES -I zone_
${zone}_REJECT
1 -o "$ifname" -j reject
79 $IPTABLES -I zone_
${zone}_ACCEPT
1 -i "$ifname" -j ACCEPT
80 $IPTABLES -I zone_
${zone}_DROP
1 -i "$ifname" -j DROP
81 $IPTABLES -I zone_
${zone}_REJECT
1 -i "$ifname" -j reject
82 $IPTABLES -I zone_
${zone}_nat
1 -t nat
-o "$ifname" -j MASQUERADE
83 $IPTABLES -I PREROUTING
1 -t nat
-i "$ifname" -j zone_
${zone}_prerouting
84 $IPTABLES -A forward
-i "$ifname" -j zone_
${zone}_forward
85 uci_set_state firewall core
"${network}_ifname" "$ifname"
86 uci_set_state firewall core
"${network}_zone" "$zone"
87 ACTION
=add ZONE
="$zone" INTERFACE
="$network" DEVICE
="$ifname" /sbin
/hotplug-call firewall
95 logger
"removing $network ($ifname) from firewall zone $zone"
96 $IPTABLES -D input
-i "$ifname" -j zone_
$zone
97 $IPTABLES -D zone_
${zone}_MSSFIX
-o "$ifname" -p tcp
--tcp-flags SYN
,RST SYN
-j TCPMSS
--clamp-mss-to-pmtu
98 $IPTABLES -D zone_
${zone}_ACCEPT
-o "$ifname" -j ACCEPT
99 $IPTABLES -D zone_
${zone}_DROP
-o "$ifname" -j DROP
100 $IPTABLES -D zone_
${zone}_REJECT
-o "$ifname" -j reject
101 $IPTABLES -D zone_
${zone}_ACCEPT
-i "$ifname" -j ACCEPT
102 $IPTABLES -D zone_
${zone}_DROP
-i "$ifname" -j DROP
103 $IPTABLES -D zone_
${zone}_REJECT
-i "$ifname" -j reject
104 $IPTABLES -D zone_
${zone}_nat
-t nat
-o "$ifname" -j MASQUERADE
105 $IPTABLES -D PREROUTING
-t nat
-i "$ifname" -j zone_
${zone}_prerouting
106 $IPTABLES -D forward
-i "$ifname" -j zone_
${zone}_forward
107 uci_revert_state firewall core
"${network}_ifname"
108 uci_revert_state firewall core
"${network}_zone"
109 ACTION
=remove ZONE
="$zone" INTERFACE
="$network" DEVICE
="$ifname" /sbin
/hotplug-call firewall
115 echo "Loading synflood protection"
116 $IPTABLES -N syn_flood
117 $IPTABLES -A syn_flood
-p tcp
--syn -m limit
--limit $rate/second
--limit-burst $burst -j RETURN
118 $IPTABLES -A syn_flood
-j DROP
119 $IPTABLES -A INPUT
-p tcp
--syn -j syn_flood
122 fw_set_chain_policy
() {
125 [ "$target" == "REJECT" ] && {
126 $IPTABLES -A $chain -j reject
129 $IPTABLES -P $chain $target
140 [ -n "$DEFAULTS_APPLIED" ] && {
141 echo "Error: multiple defaults sections detected"
148 echo 1 > /proc
/sys
/net
/ipv
4/tcp_syncookies
149 for f
in /proc
/sys
/net
/ipv
4/conf
/*/accept_redirects
153 for f
in /proc
/sys
/net
/ipv
4/conf
/*/accept_source_route
158 uci_revert_state firewall core
159 uci_set_state firewall core
"" firewall_state
161 $IPTABLES -P INPUT DROP
162 $IPTABLES -P OUTPUT DROP
163 $IPTABLES -P FORWARD DROP
167 config_get_bool drop_invalid
$1 drop_invalid
1
169 [ "$drop_invalid" -gt 0 ] && {
170 $IPTABLES -A INPUT
-m state
--state INVALID
-j DROP
171 $IPTABLES -A OUTPUT
-m state
--state INVALID
-j DROP
172 $IPTABLES -A FORWARD
-m state
--state INVALID
-j DROP
175 $IPTABLES -A INPUT
-m state
--state RELATED
,ESTABLISHED
-j ACCEPT
176 $IPTABLES -A OUTPUT
-m state
--state RELATED
,ESTABLISHED
-j ACCEPT
177 $IPTABLES -A FORWARD
-m state
--state RELATED
,ESTABLISHED
-j ACCEPT
179 $IPTABLES -A INPUT
-i lo
-j ACCEPT
180 $IPTABLES -A OUTPUT
-o lo
-j ACCEPT
182 config_get syn_flood
$1 syn_flood
183 config_get syn_rate
$1 syn_rate
184 config_get syn_burst
$1 syn_burst
185 [ "$syn_flood" == "1" ] && load_synflood
$syn_rate $syn_burst
187 echo "Adding custom chains"
194 $IPTABLES -A INPUT
-j input
195 $IPTABLES -A OUTPUT
-j output
196 $IPTABLES -A FORWARD
-j forward
199 $IPTABLES -A reject
-p tcp
-j REJECT
--reject-with tcp-reset
200 $IPTABLES -A reject
-j REJECT
--reject-with icmp-port-unreachable
202 fw_set_chain_policy INPUT
"$DEF_INPUT"
203 fw_set_chain_policy OUTPUT
"$DEF_OUTPUT"
204 fw_set_chain_policy FORWARD
"$DEF_FORWARD"
212 config_get name
$1 name
213 config_get network
$1 network
214 config_get masq
$1 masq
217 [ -z "$network" ] && network
=$name
218 create_zone
"$name" "$network" "$input" "$output" "$forward" "$masq"
219 fw_custom_chains_zone
"$name"
235 config_get src
$1 src
236 config_get src_ip
$1 src_ip
237 config_get src_mac
$1 src_mac
238 config_get src_port
$1 src_port
239 config_get dest
$1 dest
240 config_get dest_ip
$1 dest_ip
241 config_get dest_port
$1 dest_port
242 config_get proto
$1 proto
243 config_get target
$1 target
244 config_get ruleset
$1 ruleset
246 src_port_first
=${src_port%-*}
247 src_port_last
=${src_port#*-}
248 [ "$src_port_first" -ne "$src_port_last" ] && { \
249 src_port
="$src_port_first:$src_port_last"; }
251 dest_port_first
=${dest_port%-*}
252 dest_port_last
=${dest_port#*-}
253 [ "$dest_port_first" -ne "$dest_port_last" ] && { \
254 dest_port
="$dest_port_first:$dest_port_last"; }
258 [ -z "$target" ] && target
=DROP
259 [ -n "$src" -a -z "$dest" ] && ZONE
=zone_
$src
260 [ -n "$src" -a -n "$dest" ] && ZONE
=zone_
${src}_forward
261 [ -n "$dest" ] && TARGET
=zone_
${dest}_
$target
263 $IPTABLES -I $ZONE 1 \
264 ${proto:+-p $proto} \
265 ${src_ip:+-s $src_ip} \
266 ${src_port:+--sport $src_port} \
267 ${src_mac:+-m mac --mac-source $src_mac} \
268 ${dest_ip:+-d $dest_ip} \
269 ${dest_port:+--dport $dest_port} \
272 [ "$proto" == "tcpudp" -o -z "$proto" ] && {
287 config_get src
$1 src
288 config_get dest
$1 dest
289 config_get_bool mtu_fix
$1 mtu_fix
0
290 [ -n "$src" ] && z_src
=zone_
${src}_forward || z_src
=forward
291 [ -n "$dest" ] && z_dest
=zone_
${dest}_ACCEPT || z_dest
=ACCEPT
292 $IPTABLES -I $z_src 1 -j $z_dest
293 [ "$mtu_fix" -gt 0 -a -n "$dest" ] && $IPTABLES -I $z_src 1 -j zone_
${dest}_MSSFIX
303 local dest_port dest_port2
306 config_get src
$1 src
307 config_get src_ip
$1 src_ip
308 config_get src_port
$1 src_port
309 config_get src_dport
$1 src_dport
310 config_get src_mac
$1 src_mac
311 config_get dest_ip
$1 dest_ip
312 config_get dest_port
$1 dest_port
313 config_get proto
$1 proto
314 [ -z "$src" -o -z "$dest_ip" ] && { \
315 echo "redirect needs src and dest_ip"; return ; }
317 src_port_first
=${src_port%-*}
318 src_port_last
=${src_port#*-}
319 [ "$src_port_first" -ne "$src_port_last" ] && { \
320 src_port
="$src_port_first:$src_port_last"; }
322 src_dport_first
=${src_dport%-*}
323 src_dport_last
=${src_dport#*-}
324 [ "$src_dport_first" -ne "$src_dport_last" ] && { \
325 src_dport
="$src_dport_first:$src_dport_last"; }
327 dest_port2
=$dest_port
328 dest_port_first
=${dest_port2%-*}
329 dest_port_last
=${dest_port2#*-}
330 [ "$dest_port_first" -ne "$dest_port_last" ] && { \
331 dest_port2
="$dest_port_first:$dest_port_last"; }
334 $IPTABLES -A zone_
${src}_prerouting
-t nat \
335 ${proto:+-p $proto} \
336 ${src_ip:+-s $src_ip} \
337 ${src_port:+--sport $src_port} \
338 ${src_dport:+--dport $src_dport} \
339 ${src_mac:+-m mac --mac-source $src_mac} \
340 -j DNAT
--to-destination $dest_ip${dest_port:+:$dest_port}
342 $IPTABLES -I zone_
${src}_forward
1 \
343 ${proto:+-p $proto} \
345 ${src_ip:+-s $src_ip} \
346 ${src_port:+--sport $src_port} \
347 ${dest_port2:+--dport $dest_port2} \
348 ${src_mac:+-m mac --mac-source $src_mac} \
351 [ "$proto" == "tcpudp" -o -z "$proto" ] && {
363 config_get path
$1 path
364 [ -e $path ] && .
$path
371 config_get ifname
$1 ifname
372 [ -n "$up" ] ||
return 0
373 (ACTION
="ifup" INTERFACE
="$1" .
/etc
/hotplug.d
/iface
/20-firewall)
377 [ -n "$CUSTOM_CHAINS" ] ||
return 0
378 $IPTABLES -N input_rule
379 $IPTABLES -N output_rule
380 $IPTABLES -N forwarding_rule
381 $IPTABLES -N prerouting_rule
-t nat
382 $IPTABLES -N postrouting_rule
-t nat
384 $IPTABLES -A INPUT
-j input_rule
385 $IPTABLES -A OUTPUT
-j output_rule
386 $IPTABLES -A FORWARD
-j forwarding_rule
387 $IPTABLES -A PREROUTING
-t nat
-j prerouting_rule
388 $IPTABLES -A POSTROUTING
-t nat
-j postrouting_rule
391 fw_custom_chains_zone
() {
394 [ -n "$CUSTOM_CHAINS" ] ||
return 0
395 $IPTABLES -N input_
${zone}
396 $IPTABLES -N forwarding_
${zone}
397 $IPTABLES -N prerouting_
${zone} -t nat
398 $IPTABLES -I zone_
${zone} 1 -j input_
${zone}
399 $IPTABLES -I zone_
${zone}_forward
1 -j forwarding_
${zone}
400 $IPTABLES -I zone_
${zone}_prerouting
1 -t nat
-j prerouting_
${zone}
406 echo "Loading defaults"
407 config_foreach fw_defaults defaults
409 config_foreach fw_zone zone
410 echo "Loading forwarding"
411 config_foreach fw_forwarding forwarding
412 echo "Loading redirects"
413 config_foreach fw_redirect redirect
415 config_foreach fw_rule rule
416 echo "Loading includes"
417 config_foreach fw_include include
418 uci_set_state firewall core loaded
1
421 config_foreach fw_addif interface
426 $IPTABLES -P INPUT ACCEPT
427 $IPTABLES -P OUTPUT ACCEPT
428 $IPTABLES -P FORWARD ACCEPT
429 uci_revert_state firewall core