Changeset b68978d in freewrt for package/iptables


Ignore:
Timestamp:
Aug 17, 2025, 12:45:07 PM (4 months ago)
Author:
Waldemar Brodkorb <wbx@…>
Branches:
freewrt_2_0
Children:
f15c9543
Parents:
b07a1b5
git-author:
Waldemar Brodkorb <wbx@…> (08/17/25 12:44:26)
git-committer:
Waldemar Brodkorb <wbx@…> (08/17/25 12:45:07)
Message:

make the FreeWRT firewall script work, needs more cleanup

Location:
package/iptables
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed

  • package/iptables/Config.in

    rb07a1b5 rb68978d  
    1616          http://www.iptables.org/
    1717
     18config FWRT_PACKAGE_IP6TABLES
     19        prompt "ip6tables......................... IPv6 firewall administration tool"
     20        tristate
     21        default n
     22        select FWRT_COMPILE_IPTABLES
     23        select FWRT_PACKAGE_KMOD_IPV6
     24        help
     25          IPv6 firewall, NAT, and packet mangling tools.
     26
     27          http://www.iptables.org/
     28
     29config FWRT_PACKAGE_IPTABLES_FIREWALL_SCRIPT
     30        prompt   "iptables-fw-script.............. FreeWRT's firewall script"
     31        tristate
     32        default y
     33        depends FWRT_PACKAGE_IPTABLES
     34        help
     35          FreeWRT's default firewall script
     36
    1837config FWRT_PACKAGE_IPTABLES_MOD_CONNTRACK
    1938        prompt   "iptables-mod-conntrack.......... Iptables extensions for connection tracking"
     
    2140        default n
    2241        depends FWRT_PACKAGE_IPTABLES
    23         select FWRT_PACKAGE_KMOD_IPT_CONNTRACK
    2442        help
    2543          Iptables (IPv4) extensions for connection tracking
    2644
    27           Includes:
    28             * libipt_conntrack
    29             * libipt_helper
    30             * libipt_connmark/CONNMARK
     45config FWRT_PACKAGE_IPTABLES_MOD_REJECT
     46        prompt   "iptables-mod-reject............. Iptables extensions for REJECT target"
     47        tristate
     48        default n
     49        depends FWRT_PACKAGE_IPTABLES
     50        help
     51          Iptables (IPv4) extensions for REJECT target
    3152
    3253config FWRT_PACKAGE_IPTABLES_MOD_FILTER
     
    141162          http://www.iptables.org/
    142163
    143 config FWRT_PACKAGE_IPTABLES_FIREWALL_SCRIPT
    144         prompt   "iptables-fw-script.............. FreeWRT's firewall script"
    145         tristate
    146         default y
    147         depends FWRT_PACKAGE_IPTABLES
    148         help
    149           FreeWRT's default firewall script
    150 
    151 config FWRT_PACKAGE_IP6TABLES
    152         prompt "ip6tables......................... IPv6 firewall administration tool"
    153         tristate
    154         default n
    155         select FWRT_COMPILE_IPTABLES
    156         select FWRT_PACKAGE_KMOD_IPV6
    157         help
    158           IPv6 firewall, NAT, and packet mangling tools.
    159 
    160           http://www.iptables.org/

  • package/iptables/Makefile

    rb07a1b5 rb68978d  
    3636
    3737$(eval $(call PKG_template,IPTABLES_MOD_CONNTRACK,iptables-mod-conntrack,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
     38$(eval $(call PKG_template,IPTABLES_MOD_REJECT,iptables-mod-reject,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
     39$(eval $(call PKG_template,IPTABLES_MOD_TCPMSS,iptables-mod-tcpmss,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
    3840$(eval $(call PKG_template,IPTABLES_MOD_EXTRA,iptables-mod-extra,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
    3941$(eval $(call PKG_template,IPTABLES_MOD_FILTER,iptables-mod-filter,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
     
    4547
    4648$(eval $(call IPKG_plugin_template,IPTABLES_MOD_CONNTRACK,$(IPT_CONNTRACK-m)))
     49$(eval $(call IPKG_plugin_template,IPTABLES_MOD_REJECT,$(IPT_REJECT-m)))
     50$(eval $(call IPKG_plugin_template,IPTABLES_MOD_TCPMSS,$(IPT_TCPMSS-m)))
    4751$(eval $(call IPKG_plugin_template,IPTABLES_MOD_EXTRA,$(IPT_EXTRA-m)))
    4852$(eval $(call IPKG_plugin_template,IPTABLES_MOD_FILTER,$(IPT_FILTER-m),layer7-install))

  • package/iptables/files/firewall.conf

    rb07a1b5 rb68978d  
    44exit 1
    55### Interfaces
    6 WAN=ppp0
    7 LAN=br0
    8 WLAN=eth1
     6WAN=eth0.1
     7LAN=eth0.0
     8WLAN=wlan0
    99
    1010######################################################################
     
    2626
    2727# base case
    28 iptables -A INPUT -m state --state INVALID -j DROP
    29 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    30 iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
     28iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
     29iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     30iptables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP
    3131
    3232# custom rules
     
    4646
    4747# base case
    48 iptables -A OUTPUT -m state --state INVALID -j DROP
    49 iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
     48iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
     49iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    5050
    5151### FORWARD
     
    5353
    5454# base case
    55 iptables -A FORWARD -m state --state INVALID -j DROP
     55iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
    5656iptables -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    57 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
     57iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    5858
    5959# custom rules
Note: See TracChangeset for help on using the changeset viewer.