package/base-files/default/etc/firewall.user

   1 #!/bin/sh
   2 . /etc/functions.sh
   3
   4 WAN=$(nvram get wan_ifname)
   5 LAN=$(nvram get lan_ifname)
   6
   7 iptables -F input_rule
   8 iptables -F output_rule
   9 iptables -F forwarding_rule
  10 iptables -t nat -F prerouting_rule
  11 iptables -t nat -F postrouting_rule
  12
  13 ### BIG FAT DISCLAIMER
  14 ### The "-i $WAN" literally means packets that came in over the $WAN interface;
  15 ### this WILL NOT MATCH packets sent from the LAN to the WAN address.
  16
  17 ### Allow SSH on the WAN interface
  18 # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
  19 # iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT
  20
  21 ### Port forwarding
  22 # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
  23 # iptables        -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
  24
  25 ### DMZ (should be placed after port forwarding / accept rules)
  26 # iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
  27 # iptables        -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT