Changeset 620b1e9 in freewrt for package/iptables


Ignore:
Timestamp:
Oct 13, 2006, 9:34:46 PM (19 years ago)
Author:
Dirk Nehring <dnehring@…>
Branches:
freewrt_1_0, freewrt_2_0
Children:
1b5e99c
Parents:
6646877
Message:

Merge firewall scripts from trunk.

git-svn-id: svn://www.freewrt.org/branches/freewrt_1_0@899 afb5a338-a214-0410-bd46-81f09a774fd1

Location:
package/iptables
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • package/iptables/Config.in

    r6646877 r620b1e9  
    1414        help
    1515          IPv4 firewall, NAT, and packet mangling tools.
    16          
     16
    1717          http://www.iptables.org/
    1818
     
    152152        help
    153153          iptables-save and iptables-restore for Iptables (IPv4)
    154          
     154
    155155          http://www.iptables.org/
    156156
     
    163163        help
    164164          IPv6 firewall, NAT, and packet mangling tools.
    165          
     165
    166166          http://www.iptables.org/
    167167

  • package/iptables/Makefile

    r6646877 r620b1e9  
    99PKG_NAME:=              iptables
    1010PKG_VERSION:=           1.3.6
    11 PKG_RELEASE:=           1
     11PKG_RELEASE:=           3
    1212PKG_MD5SUM:=            077e886a9c90a11bb47f3d7a4fc4a689
    1313PKG_INIT:=              45
     
    7878        $(INSTALL_DIR) $(IDIR_IPTABLES)/usr/lib/iptables
    7979        $(INSTALL_BIN) ./files/firewall.init $(IDIR_IPTABLES)/etc/init.d/S$(PKG_INIT)firewall
     80        $(INSTALL_BIN) -m0644 ./files/firewall.conf $(IDIR_IPTABLES)/etc/
    8081        $(INSTALL_BIN) $(WRKINST)/usr/sbin/iptables $(IDIR_IPTABLES)/usr/sbin/
    8182        (cd $(WRKINST)/usr/lib/iptables ; \

  • package/iptables/files/firewall.init

    r6646877 r620b1e9  
    22
    33. /etc/rc.conf
    4 
    5 # modify to fit your needs
    6 WAN=vlan0
    7 LAN=vlan1
    8 WLAN=eth1
    94
    105case $1 in
     
    149        ;;
    1510start)
    16         iptables -N input_rule
    17         iptables -N output_rule
    18         iptables -N forwarding_rule
    19 
    20         ### INPUT
    21         ###  (connections with the router as destination)
    22 
    23         # base case
    24         iptables -P INPUT DROP
    25         iptables -A INPUT -m state --state INVALID -j DROP
    26         iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    27         iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP
    28 
    29         #
    30         # insert accept rule or to jump to new accept-check table here
    31         #
    32         iptables -A INPUT -j input_rule
    33 
    34         # allow
    35         iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT  # allow from all interfaces except for wan
    36         iptables -A INPUT -p icmp       -j ACCEPT       # allow ICMP
    37         iptables -A INPUT -p gre        -j ACCEPT       # allow GRE
    38         # allow ssh from remote
    39         iptables -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT
    40 
    41         # reject (what to do with anything not allowed earlier)
    42         iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    43         iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
    44 
    45         ### OUTPUT
    46         # (connections with the router as source)
    47 
    48         # base case
    49         iptables -P OUTPUT DROP
    50         iptables -A OUTPUT -m state --state INVALID -j DROP
    51         iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    52 
    53         #
    54         # insert accept rule or to jump to new accept-check table here
    55         #
    56         iptables -A OUTPUT -j output_rule
    57 
    58         # allow
    59         iptables -A OUTPUT -j ACCEPT            #allow everything out
    60 
    61         # reject (what to do with anything not allowed earlier)
    62         iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
    63         iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
    64 
    65         ### FORWARDING
    66         ### (connections routed through the router)
    67 
    68         # base case
    69         iptables -P FORWARD DROP
    70         iptables -A FORWARD -m state --state INVALID -j DROP
    71         iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    72         iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    73 
    74         #
    75         # insert accept rule or to jump to new accept-check table here
    76         #
    77         iptables -A FORWARD -j forwarding_rule
    78 
    79         # allow
    80         iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
    81         iptables -A FORWARD -i $WLAN -o $WAN -j ACCEPT
    82 
    83         # reject (what to do with anything not allowed earlier)
    84         # uses the default -P DROP
    85 
    86         ### MASQERADING
    87         iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
     11        . /etc/firewall.conf
    8812        ;;
    8913stop)
    90         ## CLEAR TABLES
    91         for T in filter nat; do
    92                 iptables -t $T -F
    93                 iptables -t $T -X
    94         done
     14        ### Clear tables
     15        iptables -F
     16        iptables -X
     17        iptables -t nat -F
     18        iptables -t nat -X
     19        iptables -P INPUT ACCEPT
     20        iptables -P FORWARD ACCEPT
     21        iptables -P OUTPUT ACCEPT
     22        iptables -t nat -P PREROUTING ACCEPT
     23        iptables -t nat -P POSTROUTING ACCEPT
    9524        ;;
    9625restart)
Note: See TracChangeset for help on using the changeset viewer.