source: freewrt/package/iptables/files/firewall.conf@ 2400aa1

freewrt_2_0
Last change on this file since 2400aa1 was b68978d, checked in by Waldemar Brodkorb <wbx@…>, 4 months ago

make the FreeWRT firewall script work, needs more cleanup
  • Property mode set to 100644
File size: 3.1 KB
Line 
1#!/bin/sh
2
3echo "please configure your interfaces and iptables rules"
4exit 1
5### Interfaces
6WAN=eth0.1
7LAN=eth0.0
8WLAN=wlan0
9
10######################################################################
11### Default ruleset
12######################################################################
13
14### Create chains
15iptables -N input_rule
16iptables -N forwarding_rule
17iptables -t nat -N prerouting_rule
18iptables -t nat -N postrouting_rule
19
20### Default policy
21iptables -P INPUT DROP
22iptables -P FORWARD DROP
23
24### INPUT
25### (connections with the router as destination)
26
27# base case
28iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
29iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
30iptables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP
31
32# custom rules
33iptables -A INPUT -j input_rule
34
35# allow access from anything but WAN
36iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT
37# allow icmp messages
38iptables -A INPUT -p icmp -j ACCEPT
39
40# reject
41iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
42iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
43
44### OUTPUT
45### (connections with the router as source)
46
47# base case
48iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
49iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
50
51### FORWARD
52### (connections routed through the router)
53
54# base case
55iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
56iptables -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
57iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
58
59# custom rules
60iptables -A FORWARD -j forwarding_rule
61iptables -t nat -A PREROUTING -j prerouting_rule
62iptables -t nat -A POSTROUTING -j postrouting_rule
63
64# allow LAN to INTERNET
65iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
66# allow WLAN to INTERNET
67#iptables -A FORWARD -i $WLAN -o $WAN -j ACCEPT
68# Allow WLAN to LAN
69#iptables -A FORWARD -i $WLAN -o $LAN -j ACCEPT
70
71### MASQUERADING
72echo 1 > /proc/sys/net/ipv4/ip_dynaddr
73iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
74
75######################################################################
76### Default ruleset end
77######################################################################
78
79###
80### Connections to the router
81###
82
83# ssh
84#iptables -A input_rule -i $WAN -p tcp -s <a.b.c.d> --dport 22 -j ACCEPT
85
86# IPSec
87#iptables -A input_rule -i $WAN -p esp -s <a.b.c.d> -j ACCEPT
88#iptables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 500 -j ACCEPT
89
90# OpenVPN
91#iptables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 1194 -j ACCEPT
92
93# PPTP
94#iptables -A input_rule -i $WAN -p gre -j ACCEPT
95#iptables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
96
97###
98### VPN traffic
99###
100
101# IPSec
102#iptables -A forwarding_rule -o ipsec+ -j ACCEPT
103#iptables -A forwarding_rule -i ipsec+ -j ACCEPT
104
105# OpenVPN
106#iptables -A forwarding_rule -o tun+ -j ACCEPT
107#iptables -A forwarding_rule -i tun+ -j ACCEPT
108
109###
110### Port forwardings to LAN
111###
112
113#iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 3389 -j DNAT --to 192.168.1.10
114#iptables -A forwarding_rule -i $WAN -p tcp --dport 3389 -d 192.168.1.10 -j ACCEPT
Note: See TracBrowser for help on using the repository browser.