diff options
| -rwxr-xr-x | target/default/target_skeleton/etc/firewall.user | 27 | ||||
| -rwxr-xr-x | target/default/target_skeleton/etc/init.d/S45firewall | 26 |
2 files changed, 43 insertions, 10 deletions
diff --git a/target/default/target_skeleton/etc/firewall.user b/target/default/target_skeleton/etc/firewall.user new file mode 100755 index 000000000..2ba6b4e83 --- /dev/null +++ b/target/default/target_skeleton/etc/firewall.user @@ -0,0 +1,27 @@ +#!/bin/sh +. /etc/functions.sh + +WAN=$(nvram get wan_ifname) +LAN=$(nvram get lan_ifname) + +iptables -F input_rule +iptables -F output_rule +iptables -F forwarding_rule +iptables -F prerouting_rule +iptables -F postrouting_rule + +### BIG FAT DISCLAIMER +### The "-i $WAN" literally means packets that came in over the $WAN interface; +### this WILL NOT MATCH packets sent from the LAN to the WAN address. + +### Allow SSH from WAN +# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT +# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT + +### Port forwarding +# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2 +# iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT + +### DMZ (should be placed after port forwarding / accept rules) +# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2 +# iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT diff --git a/target/default/target_skeleton/etc/init.d/S45firewall b/target/default/target_skeleton/etc/init.d/S45firewall index 8f9b9404e..dc429f272 100755 --- a/target/default/target_skeleton/etc/init.d/S45firewall +++ b/target/default/target_skeleton/etc/init.d/S45firewall @@ -1,4 +1,7 @@ #!/bin/sh + +## Please make changes in /etc/firewall.user + . /etc/functions.sh WAN=$(nvram get wan_ifname) LAN=$(nvram get lan_ifname) @@ -25,15 +28,16 @@ iptables -t nat -N postrouting_rule iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP - # allow - iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces - iptables -A INPUT -p icmp -j ACCEPT # allow ICMP - iptables -A INPUT -p gre -j ACCEPT # allow GRE # # insert accept rule or to jump to new accept-check table here # iptables -A INPUT -j input_rule + # allow + iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces + iptables -A INPUT -p icmp -j ACCEPT # allow ICMP + iptables -A INPUT -p gre -j ACCEPT # allow GRE + # reject (what to do with anything not allowed earlier) iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable @@ -46,13 +50,14 @@ iptables -t nat -N postrouting_rule iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - # allow - iptables -A OUTPUT -j ACCEPT #allow everything out # # insert accept rule or to jump to new accept-check table here # iptables -A OUTPUT -j output_rule + # allow + iptables -A OUTPUT -j ACCEPT #allow everything out + # reject (what to do with anything not allowed earlier) iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable @@ -66,14 +71,15 @@ iptables -t nat -N postrouting_rule iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - # allow - iptables -A FORWARD -i br0 -o br0 -j ACCEPT - iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT # # insert accept rule or to jump to new accept-check table here # iptables -A FORWARD -j forwarding_rule + # allow + iptables -A FORWARD -i br0 -o br0 -j ACCEPT + iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT + # reject (what to do with anything not allowed earlier) # uses the default -P DROP @@ -83,4 +89,4 @@ iptables -t nat -N postrouting_rule iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE ## USER RULES -. /etc/firewall.user +[ -f /etc/firewall.user ] && . /etc/firewall.user |