source: freewrt/package/iptables/files/firewall.init@ 583d755

freewrt_1_0 freewrt_2_0
Last change on this file since 583d755 was 583d755, checked in by Thorsten Glaser <tg@…>, 19 years ago
  • change the SYSV init system to add a target "autostart"
  • on system startup, call autostart instead of start
  • on autostart, check /etc/rc.conf for whether the service is enabled and act appropriately; fall through into start target
  • move some pre-startup checks into the start target
  • some whitespace cleanup, when it makes much sense (XXX when I get the person who wrote these scripts...)
  • optimise dropbear a little

ok and approved wbx@

git-svn-id: svn://www.freewrt.org/trunk/freewrt@191 afb5a338-a214-0410-bd46-81f09a774fd1
  • Property mode set to 100755
File size: 2.8 KB
Line 
1#!/bin/sh
2
3. /etc/rc.conf
4. /etc/functions.sh
5
6WAN=$(nvram get wan_ifname)
7LAN=$(nvram get lan_ifname)
8
9case $1 in
10autostart)
11 test x"$firewall" = x"NO" && exit 0
12 # FALLTHROUGH
13start)
14 iptables -N input_rule
15 iptables -N output_rule
16 iptables -N forwarding_rule
17
18 iptables -t nat -N prerouting_rule
19 iptables -t nat -N postrouting_rule
20
21 ### INPUT
22 ### (connections with the router as destination)
23
24 # base case
25 iptables -P INPUT DROP
26 iptables -A INPUT -m state --state INVALID -j DROP
27 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
28 iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
29
30 #
31 # insert accept rule or to jump to new accept-check table here
32 #
33 iptables -A INPUT -j input_rule
34
35 # allow
36 iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT # allow from all interfaces except for wan
37 iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
38 iptables -A INPUT -p gre -j ACCEPT # allow GRE
39 # allow ssh from remote
40 iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
41 iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
42
43 # reject (what to do with anything not allowed earlier)
44 iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
45 iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
46
47 ### OUTPUT
48 # (connections with the router as source)
49
50 # base case
51 iptables -P OUTPUT DROP
52 iptables -A OUTPUT -m state --state INVALID -j DROP
53 iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
54
55 #
56 # insert accept rule or to jump to new accept-check table here
57 #
58 iptables -A OUTPUT -j output_rule
59
60 # allow
61 iptables -A OUTPUT -j ACCEPT #allow everything out
62
63 # reject (what to do with anything not allowed earlier)
64 iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
65 iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
66
67 ### FORWARDING
68 ### (connections routed through the router)
69
70 # base case
71 iptables -P FORWARD DROP
72 iptables -A FORWARD -m state --state INVALID -j DROP
73 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
74 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
75
76 #
77 # insert accept rule or to jump to new accept-check table here
78 #
79 iptables -A FORWARD -j forwarding_rule
80
81 # allow
82 iptables -A FORWARD -i br0 -o br0 -j ACCEPT
83 [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
84
85 # reject (what to do with anything not allowed earlier)
86 # uses the default -P DROP
87
88 ### MASQ
89 iptables -t nat -A PREROUTING -j prerouting_rule
90 iptables -t nat -A POSTROUTING -j postrouting_rule
91 [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
92 ;;
93stop)
94 ## CLEAR TABLES
95 for T in filter nat; do
96 iptables -t $T -F
97 iptables -t $T -X
98 done
99 ;;
100restart)
101 $0 stop
102 $0 start
103 ;;
104*)
105 echo "Usage: $0 {start | stop | restart}"
106 ;;
107esac
108exit 0
Note: See TracBrowser for help on using the repository browser.