9bcb11a3f229161aea8d60ff1adbe340da0d7095
[openwrt.git] / openwrt / target / default / target_skeleton / etc / init.d / S45firewall
1 #!/bin/sh
2 . /etc/functions.sh
3
4 WAN=$(nvram get wan_ifname)
5
6 IPT=/usr/sbin/iptables
7
8 for T in filter nat mangle ; do
9 $IPT -t $T -F
10 $IPT -t $T -X
11 done
12
13 $IPT -t filter -A INPUT -m state --state INVALID -j DROP
14 $IPT -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
15 $IPT -t filter -A INPUT -p icmp -j ACCEPT
16 $IPT -t filter -A INPUT -p 47 -j ACCEPT # allow GRE
17 $IPT -t filter -A INPUT -i $WAN -p tcp -j REJECT --reject-with tcp-reset
18 $IPT -t filter -A INPUT -i $WAN -j REJECT --reject-with icmp-port-unreachable
19 $IPT -t filter -A FORWARD -m state --state INVALID -j DROP
20 $IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
21 $IPT -t filter -A FORWARD -i $WAN -m state --state NEW,INVALID -j DROP
22 $IPT -t filter -A FORWARD -o $WAN -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
23
24 $IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE
This page took 0.046235 seconds and 3 git commands to generate.