| 1 | #!/bin/sh
|
|---|
| 2 |
|
|---|
| 3 | ## Please make changes in /etc/firewall.user
|
|---|
| 4 |
|
|---|
| 5 | . /etc/config/network
|
|---|
| 6 | WAN="$wan_ifname"
|
|---|
| 7 | LAN="$lan_ifname"
|
|---|
| 8 |
|
|---|
| 9 | ## CLEAR TABLES
|
|---|
| 10 | for T in filter nat; do
|
|---|
| 11 | iptables -t $T -F
|
|---|
| 12 | iptables -t $T -X
|
|---|
| 13 | done
|
|---|
| 14 |
|
|---|
| 15 | iptables -N input_rule
|
|---|
| 16 | iptables -N output_rule
|
|---|
| 17 | iptables -N forwarding_rule
|
|---|
| 18 |
|
|---|
| 19 | iptables -t nat -N prerouting_rule
|
|---|
| 20 | iptables -t nat -N postrouting_rule
|
|---|
| 21 |
|
|---|
| 22 | ### INPUT
|
|---|
| 23 | ### (connections with the router as destination)
|
|---|
| 24 |
|
|---|
| 25 | # base case
|
|---|
| 26 | iptables -P INPUT DROP
|
|---|
| 27 | iptables -A INPUT -m state --state INVALID -j DROP
|
|---|
| 28 | iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|---|
| 29 | iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
|
|---|
| 30 |
|
|---|
| 31 | #
|
|---|
| 32 | # insert accept rule or to jump to new accept-check table here
|
|---|
| 33 | #
|
|---|
| 34 | iptables -A INPUT -j input_rule
|
|---|
| 35 |
|
|---|
| 36 | # allow
|
|---|
| 37 | iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT # allow from all interfaces except for wan
|
|---|
| 38 | iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
|
|---|
| 39 | iptables -A INPUT -p gre -j ACCEPT # allow GRE
|
|---|
| 40 |
|
|---|
| 41 | # reject (what to do with anything not allowed earlier)
|
|---|
| 42 | iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
|
|---|
| 43 | iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
|
|---|
| 44 |
|
|---|
| 45 | ### OUTPUT
|
|---|
| 46 | ### (connections with the router as source)
|
|---|
| 47 |
|
|---|
| 48 | # base case
|
|---|
| 49 | iptables -P OUTPUT DROP
|
|---|
| 50 | iptables -A OUTPUT -m state --state INVALID -j DROP
|
|---|
| 51 | iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|---|
| 52 |
|
|---|
| 53 | #
|
|---|
| 54 | # insert accept rule or to jump to new accept-check table here
|
|---|
| 55 | #
|
|---|
| 56 | iptables -A OUTPUT -j output_rule
|
|---|
| 57 |
|
|---|
| 58 | # allow
|
|---|
| 59 | iptables -A OUTPUT -j ACCEPT #allow everything out
|
|---|
| 60 |
|
|---|
| 61 | # reject (what to do with anything not allowed earlier)
|
|---|
| 62 | iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
|
|---|
| 63 | iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
|
|---|
| 64 |
|
|---|
| 65 | ### FORWARDING
|
|---|
| 66 | ### (connections routed through the router)
|
|---|
| 67 |
|
|---|
| 68 | # base case
|
|---|
| 69 | iptables -P FORWARD DROP
|
|---|
| 70 | iptables -A FORWARD -m state --state INVALID -j DROP
|
|---|
| 71 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|---|
| 72 | iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|---|
| 73 |
|
|---|
| 74 | #
|
|---|
| 75 | # insert accept rule or to jump to new accept-check table here
|
|---|
| 76 | #
|
|---|
| 77 | iptables -A FORWARD -j forwarding_rule
|
|---|
| 78 |
|
|---|
| 79 | # allow
|
|---|
| 80 | iptables -A FORWARD -i br0 -o br0 -j ACCEPT
|
|---|
| 81 | [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
|
|---|
| 82 |
|
|---|
| 83 | # reject (what to do with anything not allowed earlier)
|
|---|
| 84 | # uses the default -P DROP
|
|---|
| 85 |
|
|---|
| 86 | ### MASQ
|
|---|
| 87 | iptables -t nat -A PREROUTING -j prerouting_rule
|
|---|
| 88 | iptables -t nat -A POSTROUTING -j postrouting_rule
|
|---|
| 89 | [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
|
|---|
| 90 |
|
|---|
| 91 | ## USER RULES
|
|---|
| 92 | [ -f /etc/firewall.user ] && . /etc/firewall.user
|
|---|
| 93 | [ -n "$WAN" -a -e /etc/config/firewall ] && {
|
|---|
| 94 | awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
|
|---|
| 95 | }
|
|---|
