Changeset 583d755 in freewrt for package/iptables/files/firewall.init
- Timestamp:
- Jul 12, 2006, 12:40:18 AM (19 years ago)
- Branches:
- freewrt_1_0, freewrt_2_0
- Children:
- 4486a95
- Parents:
- 115d022
- File:
-
- 1 edited
-
package/iptables/files/firewall.init (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
package/iptables/files/firewall.init
r115d022 r583d755 2 2 3 3 . /etc/rc.conf 4 5 if [ X"${firewall}" == X"NO" ]; then6 exit 07 fi8 9 4 . /etc/functions.sh 10 5 … … 13 8 14 9 case $1 in 15 start) 16 iptables -N input_rule 17 iptables -N output_rule 18 iptables -N forwarding_rule 10 autostart) 11 test x"$firewall" = x"NO" && exit 0 12 # FALLTHROUGH 13 start) 14 iptables -N input_rule 15 iptables -N output_rule 16 iptables -N forwarding_rule 19 17 20 21 18 iptables -t nat -N prerouting_rule 19 iptables -t nat -N postrouting_rule 22 20 23 24 21 ### INPUT 22 ### (connections with the router as destination) 25 23 26 27 28 29 30 24 # base case 25 iptables -P INPUT DROP 26 iptables -A INPUT -m state --state INVALID -j DROP 27 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 28 iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP 31 29 32 33 34 35 30 # 31 # insert accept rule or to jump to new accept-check table here 32 # 33 iptables -A INPUT -j input_rule 36 34 37 38 39 40 41 42 43 35 # allow 36 iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT # allow from all interfaces except for wan 37 iptables -A INPUT -p icmp -j ACCEPT # allow ICMP 38 iptables -A INPUT -p gre -j ACCEPT # allow GRE 39 # allow ssh from remote 40 iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT 41 iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT 44 42 45 46 47 43 # reject (what to do with anything not allowed earlier) 44 iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset 45 iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable 48 46 49 50 47 ### OUTPUT 48 # (connections with the router as source) 51 49 52 53 54 55 50 # base case 51 iptables -P OUTPUT DROP 52 iptables -A OUTPUT -m state --state INVALID -j DROP 53 iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 56 54 57 58 59 60 55 # 56 # insert accept rule or to jump to new accept-check table here 57 # 58 iptables -A OUTPUT -j output_rule 61 59 62 63 60 # allow 61 iptables -A OUTPUT -j ACCEPT #allow everything out 64 62 65 66 67 63 # reject (what to do with anything not allowed earlier) 64 iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset 65 iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable 68 66 69 70 67 ### FORWARDING 68 ### (connections routed through the router) 71 69 72 73 74 75 76 70 # base case 71 iptables -P FORWARD DROP 72 iptables -A FORWARD -m state --state INVALID -j DROP 73 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 74 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 77 75 78 79 80 81 76 # 77 # insert accept rule or to jump to new accept-check table here 78 # 79 iptables -A FORWARD -j forwarding_rule 82 80 83 84 85 81 # allow 82 iptables -A FORWARD -i br0 -o br0 -j ACCEPT 83 [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT 86 84 87 88 85 # reject (what to do with anything not allowed earlier) 86 # uses the default -P DROP 89 87 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 88 ### MASQ 89 iptables -t nat -A PREROUTING -j prerouting_rule 90 iptables -t nat -A POSTROUTING -j postrouting_rule 91 [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE 92 ;; 93 stop) 94 ## CLEAR TABLES 95 for T in filter nat; do 96 iptables -t $T -F 97 iptables -t $T -X 98 done 99 ;; 100 restart) 101 $0 stop 102 $0 start 103 ;; 104 *) 105 echo "Usage: $0 {start | stop | restart}" 106 ;; 109 107 esac 110 108 exit 0
Note:
See TracChangeset
for help on using the changeset viewer.
