Changeset 705


Ignore:
Timestamp:
2005-04-23T20:58:32+02:00 (13 years ago)
Author:
mbm
Message:

new more flexible firewall

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/openwrt/target/default/target_skeleton/etc/init.d/S45firewall

    r596 r705  
    11#!/bin/sh 
    22. /etc/functions.sh 
     3export WAN=$(nvram get wan_ifname) 
     4export LAN=$(nvram get lan_ifname) 
    35 
    4 export WAN=$(nvram get wan_ifname) 
    5 export IPT=/usr/sbin/iptables 
    6  
    7 for T in filter nat mangle ; do 
    8   $IPT -t $T -F 
    9   $IPT -t $T -X 
     6## CLEAR TABLES 
     7for T in filter nat mangle; do 
     8  iptables -t $T -F 
     9  iptables -t $T -X 
    1010done 
    1111 
    12 # initial rules 
    13 $IPT -t filter -A INPUT -m state --state INVALID -j DROP 
    14 $IPT -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  
    15 $IPT -t filter -A FORWARD -m state --state INVALID -j DROP  
    16 $IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT  
     12iptables -N input_rule 
     13iptables -N output_rule 
     14iptables -N forwarding_rule 
    1715 
    18 if [ -d /etc/firewall.d ]; then  
    19         for fw in /etc/firewall.d/??*; do 
    20                 [ -x $fw ] && $fw 
    21         done 
    22 fi 
     16iptables -t nat -N prerouting_rule 
     17iptables -t nat -N postrouting_rule 
    2318 
    24 # defaults 
     19### Port forwarding 
     20# iptables -t nat -A prerouting_rule -p tcp --dport 22 -j DNAT --to 192.168.1.2 
     21# iptables        -A forwarding_rule -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT 
    2522 
    26 $IPT -t filter -A INPUT -p icmp -j ACCEPT 
    27 $IPT -t filter -A INPUT -p 47 -j ACCEPT # allow GRE 
    28 $IPT -t filter -A INPUT -i $WAN -p tcp --syn --tcp-option \! 2 -j  DROP 
    29 $IPT -t filter -A INPUT -i $WAN -p tcp -j REJECT --reject-with tcp-reset  
    30 $IPT -t filter -A INPUT -i $WAN -j REJECT --reject-with icmp-port-unreachable  
     23### INPUT 
     24###  (connections with the router as destination) 
    3125 
    32 $IPT -t filter -A FORWARD -i br0 -o br0 -j ACCEPT 
    33 $IPT -t filter -A FORWARD -i $WAN -m state --state NEW -j DROP 
    34 $IPT -t filter -A FORWARD -o $WAN -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
     26  # base case 
     27  iptables -P INPUT DROP 
     28  iptables -A INPUT -m state --state INVALID -j DROP 
     29  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    3530 
    36 $IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE 
     31  # allow 
     32  iptables -A INPUT -i \! $WAN -j ACCEPT        # allow from lan/wifi interfaces  
     33  iptables -A INPUT -p icmp -j ACCEPT           # allow ICMP 
     34  iptables -A INPUT -p 47 -j ACCEPT             # allow GRE 
     35  # 
     36  # insert accept rule or to jump to new accept-check table here 
     37  # 
     38  iptables -A INPUT -j input_rule 
     39 
     40  # reject (what to do with anything not allowed earlier) 
     41  iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j  DROP 
     42  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset 
     43  iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable 
     44 
     45### OUTPUT 
     46### (connections with the router as source) 
     47 
     48  # base case 
     49  iptables -P OUTPUT DROP 
     50  iptables -A OUTPUT -m state --state INVALID -j DROP 
     51  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
     52 
     53  # allow 
     54  iptables -A OUTPUT -j ACCEPT          #allow everything out 
     55  # 
     56  # insert accept rule or to jump to new accept-check table here 
     57  # 
     58  iptables -A OUTPUT -j output_rule 
     59 
     60  # reject (what to do with anything not allowed earlier) 
     61  iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset 
     62  iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable 
     63 
     64### FORWARDING 
     65### (connections routed through the router) 
     66 
     67  # base case 
     68  iptables -P FORWARD DROP  
     69  iptables -A FORWARD -m state --state INVALID -j DROP 
     70  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
     71  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
     72 
     73  # allow 
     74  iptables -A FORWARD -i br0 -o br0 -j ACCEPT 
     75  iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT 
     76  # 
     77  # insert accept rule or to jump to new accept-check table here 
     78  # 
     79  iptables -A FORWARD -j forwarding_rule 
     80 
     81  # reject (what to do with anything not allowed earlier) 
     82  # uses the default -P DROP 
     83 
     84### MASQ 
     85  iptables -t nat -A PREROUTING -j prerouting_rule 
     86  iptables -t nat -A POSTROUTING -j postrouting_rule 
     87  iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE 
Note: See TracChangeset for help on using the changeset viewer.