source: freewrt/package/iptables/files/firewall.init@ 1f0c6bf

#!/bin/sh

. /etc/rc.conf
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

case $1 in
autostart)
        test x"$firewall" = x"NO" && exit 0
        exec $0 start
        ;;
start)
        iptables -N input_rule
        iptables -N output_rule
        iptables -N forwarding_rule

        iptables -t nat -N prerouting_rule
        iptables -t nat -N postrouting_rule

        ### INPUT
        ###  (connections with the router as destination)

        # base case
        iptables -P INPUT DROP
        iptables -A INPUT -m state --state INVALID -j DROP
        iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP

        #
        # insert accept rule or to jump to new accept-check table here
        #
        iptables -A INPUT -j input_rule

        # allow
        iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT  # allow from all interfaces except for wan
        iptables -A INPUT -p icmp       -j ACCEPT       # allow ICMP
        iptables -A INPUT -p gre        -j ACCEPT       # allow GRE
        # allow ssh from remote
        iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT 
        iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT

        # reject (what to do with anything not allowed earlier)
        iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
        iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

        ### OUTPUT
        # (connections with the router as source)

        # base case
        iptables -P OUTPUT DROP
        iptables -A OUTPUT -m state --state INVALID -j DROP
        iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

        #
        # insert accept rule or to jump to new accept-check table here
        #
        iptables -A OUTPUT -j output_rule

        # allow
        iptables -A OUTPUT -j ACCEPT            #allow everything out

        # reject (what to do with anything not allowed earlier)
        iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
        iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

        ### FORWARDING
        ### (connections routed through the router)

        # base case
        iptables -P FORWARD DROP 
        iptables -A FORWARD -m state --state INVALID -j DROP
        iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
        iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

        #
        # insert accept rule or to jump to new accept-check table here
        #
        iptables -A FORWARD -j forwarding_rule

        # allow
        iptables -A FORWARD -i br0 -o br0 -j ACCEPT
        [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

        # reject (what to do with anything not allowed earlier)
        # uses the default -P DROP

        ### MASQ
        iptables -t nat -A PREROUTING -j prerouting_rule
        iptables -t nat -A POSTROUTING -j postrouting_rule
        [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
        ;;
stop)
        ## CLEAR TABLES
        for T in filter nat; do
                iptables -t $T -F
                iptables -t $T -X
        done
        ;;
restart)
        $0 stop
        $0 start
        ;;
*)
        echo "Usage: $0 {start | stop | restart}"
        ;;
esac
exit 0