source: freewrt/package/iptables/files/firewall.init@ 141418f

freewrt_1_0 freewrt_2_0
Last change on this file since 141418f was 141418f, checked in by Waldemar Brodkorb <wbx@…>, 19 years ago
  • remove some obsolete firewall config stuff
  • add old-style network configuration based on nvram
  • add new rc.conf file to configure which services should be started on startup, bsd-ish behavior
  • disable firewall by default in rc.conf, remote update via ssh is now possible. port 22 is open by default on wan side
  • enable suid bit on busybox and add a "admin" user
  • ssh via root is disabled (dropbear -w)
  • default password for "admin" is "FreeWRT", as well as for root please change directly after installation
  • remove telnetd from startup, will be used only for failsafe

git-svn-id: svn://www.freewrt.org/trunk/freewrt@181 afb5a338-a214-0410-bd46-81f09a774fd1
  • Property mode set to 100755
File size: 2.9 KB
Line 
1#!/bin/sh
2
3. /etc/rc.conf
4
5if [ X"${firewall}" == X"NO" ]; then
6 exit 0
7fi
8
9. /etc/functions.sh
10
11WAN=$(nvram get wan_ifname)
12LAN=$(nvram get lan_ifname)
13
14case $1 in
15 start)
16 iptables -N input_rule
17 iptables -N output_rule
18 iptables -N forwarding_rule
19
20 iptables -t nat -N prerouting_rule
21 iptables -t nat -N postrouting_rule
22
23 ### INPUT
24 ### (connections with the router as destination)
25
26 # base case
27 iptables -P INPUT DROP
28 iptables -A INPUT -m state --state INVALID -j DROP
29 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
30 iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
31
32 #
33 # insert accept rule or to jump to new accept-check table here
34 #
35 iptables -A INPUT -j input_rule
36
37 # allow
38 iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT # allow from all interfaces except for wan
39 iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
40 iptables -A INPUT -p gre -j ACCEPT # allow GRE
41 # allow ssh from remote
42 iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
43 iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
44
45 # reject (what to do with anything not allowed earlier)
46 iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
47 iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
48
49 ### OUTPUT
50 # (connections with the router as source)
51
52 # base case
53 iptables -P OUTPUT DROP
54 iptables -A OUTPUT -m state --state INVALID -j DROP
55 iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
56
57 #
58 # insert accept rule or to jump to new accept-check table here
59 #
60 iptables -A OUTPUT -j output_rule
61
62 # allow
63 iptables -A OUTPUT -j ACCEPT #allow everything out
64
65 # reject (what to do with anything not allowed earlier)
66 iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
67 iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
68
69 ### FORWARDING
70 ### (connections routed through the router)
71
72 # base case
73 iptables -P FORWARD DROP
74 iptables -A FORWARD -m state --state INVALID -j DROP
75 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
76 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
77
78 #
79 # insert accept rule or to jump to new accept-check table here
80 #
81 iptables -A FORWARD -j forwarding_rule
82
83 # allow
84 iptables -A FORWARD -i br0 -o br0 -j ACCEPT
85 [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
86
87 # reject (what to do with anything not allowed earlier)
88 # uses the default -P DROP
89
90 ### MASQ
91 iptables -t nat -A PREROUTING -j prerouting_rule
92 iptables -t nat -A POSTROUTING -j postrouting_rule
93 [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
94 ;;
95 stop)
96 ## CLEAR TABLES
97 for T in filter nat; do
98 iptables -t $T -F
99 iptables -t $T -X
100 done
101 ;;
102 restart)
103 $0 stop
104 $0 start
105 ;;
106 *)
107 echo "Usage: $0 {start | stop | restart}"
108 ;;
109esac
110exit 0
Note: See TracBrowser for help on using the repository browser.