144 lines
4.1 KiB
Bash
Executable File
144 lines
4.1 KiB
Bash
Executable File
#!/bin/sh /etc/rc.common
|
|
# Copyright (C) 2006 OpenWrt.org
|
|
|
|
## Please make changes in /etc/firewall.user
|
|
START=45
|
|
start() {
|
|
include /lib/network
|
|
scan_interfaces
|
|
config_load /var/state/network
|
|
|
|
config_get WAN wan ifname
|
|
config_get WANDEV wan device
|
|
config_get LAN lan ifname
|
|
config_get_bool NAT_LAN lan nat 1
|
|
if [ $NAT_LAN -ne 0 ]
|
|
then
|
|
config_get LAN_MASK lan netmask
|
|
config_get LAN_IP lan ipaddr
|
|
LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2)
|
|
fi
|
|
|
|
## CLEAR TABLES
|
|
for T in filter nat; do
|
|
iptables -t $T -F
|
|
iptables -t $T -X
|
|
done
|
|
|
|
iptables -N input_rule
|
|
iptables -N input_wan
|
|
iptables -N output_rule
|
|
iptables -N forwarding_rule
|
|
iptables -N forwarding_wan
|
|
|
|
iptables -t nat -N NEW
|
|
iptables -t nat -N prerouting_rule
|
|
iptables -t nat -N prerouting_wan
|
|
iptables -t nat -N postrouting_rule
|
|
|
|
iptables -N LAN_ACCEPT
|
|
[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
|
|
[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
|
|
iptables -A LAN_ACCEPT -j ACCEPT
|
|
|
|
### INPUT
|
|
### (connections with the router as destination)
|
|
|
|
# base case
|
|
iptables -P INPUT DROP
|
|
iptables -A INPUT -m state --state INVALID -j DROP
|
|
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
|
|
|
|
#
|
|
# insert accept rule or to jump to new accept-check table here
|
|
#
|
|
iptables -A INPUT -j input_rule
|
|
[ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
|
|
|
|
# allow
|
|
iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
|
|
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
|
|
iptables -A INPUT -p gre -j ACCEPT # allow GRE
|
|
|
|
# reject (what to do with anything not allowed earlier)
|
|
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
|
|
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
### OUTPUT
|
|
### (connections with the router as source)
|
|
|
|
# base case
|
|
iptables -P OUTPUT DROP
|
|
iptables -A OUTPUT -m state --state INVALID -j DROP
|
|
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
#
|
|
# insert accept rule or to jump to new accept-check table here
|
|
#
|
|
iptables -A OUTPUT -j output_rule
|
|
|
|
# allow
|
|
iptables -A OUTPUT -j ACCEPT #allow everything out
|
|
|
|
# reject (what to do with anything not allowed earlier)
|
|
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
|
|
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
|
|
|
|
### FORWARDING
|
|
### (connections routed through the router)
|
|
|
|
# base case
|
|
iptables -P FORWARD DROP
|
|
iptables -A FORWARD -m state --state INVALID -j DROP
|
|
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
#
|
|
# insert accept rule or to jump to new accept-check table here
|
|
#
|
|
iptables -A FORWARD -j forwarding_rule
|
|
[ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
|
|
|
|
# allow
|
|
iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
|
|
[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
|
|
|
|
# reject (what to do with anything not allowed earlier)
|
|
# uses the default -P DROP
|
|
|
|
### MASQ
|
|
iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW
|
|
iptables -t nat -A PREROUTING -j prerouting_rule
|
|
[ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
|
|
iptables -t nat -A POSTROUTING -j postrouting_rule
|
|
### Only LAN, unless told not to
|
|
if [ $NAT_LAN -ne 0 ]
|
|
then
|
|
[ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE
|
|
fi
|
|
|
|
iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
|
|
iptables -t nat -A NEW -j DROP
|
|
|
|
## USER RULES
|
|
[ -f /etc/firewall.user ] && . /etc/firewall.user
|
|
[ -n "$WAN" -a -e /etc/config/firewall ] && {
|
|
export WAN
|
|
awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
|
|
}
|
|
}
|
|
|
|
stop() {
|
|
iptables -P INPUT ACCEPT
|
|
iptables -P OUTPUT ACCEPT
|
|
iptables -P FORWARD ACCEPT
|
|
iptables -F
|
|
iptables -X
|
|
iptables -t nat -P PREROUTING ACCEPT
|
|
iptables -t nat -P POSTROUTING ACCEPT
|
|
iptables -t nat -P OUTPUT ACCEPT
|
|
iptables -t nat -F
|
|
iptables -t nat -X
|
|
}
|