package/ov51x-jpeg:

[openwrt.git] / package / iptables / files / firewall.init

diff --git a/package/iptables/files/firewall.init b/package/iptables/files/firewall.init
index 04b37bd..0da97f8 100755 (executable)
--- a/package/iptables/files/firewall.init
+++ b/package/iptables/files/firewall.init
@@ -10,6 +10,13 @@ start() {
        config_get WAN wan ifname
        config_get WANDEV wan device
        config_get LAN lan ifname
+       config_get_bool NAT_LAN lan nat 1
+       if [ $NAT_LAN -ne 0 ]
+       then
+               config_get LAN_MASK lan netmask
+               config_get LAN_IP lan ipaddr
+               LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2)
+       fi
        
        ## CLEAR TABLES
        for T in filter nat; do
@@ -18,10 +25,14 @@ start() {
        done
        
        iptables -N input_rule
+       iptables -N input_wan
        iptables -N output_rule
        iptables -N forwarding_rule
-       
+       iptables -N forwarding_wan
+
+       iptables -t nat -N NEW
        iptables -t nat -N prerouting_rule
+       iptables -t nat -N prerouting_wan
        iptables -t nat -N postrouting_rule
        
        iptables -N LAN_ACCEPT
@@ -42,6 +53,7 @@ start() {
        # insert accept rule or to jump to new accept-check table here
        #
        iptables -A INPUT -j input_rule
+       [ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
        
        # allow
        iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces 
@@ -85,24 +97,34 @@ start() {
        # insert accept rule or to jump to new accept-check table here
        #
        iptables -A FORWARD -j forwarding_rule
+       [ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
        
        # allow
-       iptables -A FORWARD -i br0 -o br0 -j ACCEPT
+       iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
        [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
        
        # reject (what to do with anything not allowed earlier)
        # uses the default -P DROP
        
        ### MASQ
+       iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW 
        iptables -t nat -A PREROUTING -j prerouting_rule
+       [ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
        iptables -t nat -A POSTROUTING -j postrouting_rule
-       [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
-       
+       ### Only LAN, unless told not to
+       if [ $NAT_LAN -ne 0 ]
+       then
+               [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE
+       fi
+
+       iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
+               iptables -t nat -A NEW -j DROP
+
        ## USER RULES
        [ -f /etc/firewall.user ] && . /etc/firewall.user
-       [ -n "$WAN" -a -e /etc/config/firewall ] && {
+       [ -n "$WAN" -a -e /etc/firewall.config ] && {
                export WAN
-               awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
+               awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/firewall.config | ash
        }
 }
 
@@ -111,8 +133,10 @@ stop() {
        iptables -P OUTPUT ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -F
+       iptables -X
        iptables -t nat -P PREROUTING ACCEPT
        iptables -t nat -P POSTROUTING ACCEPT
        iptables -t nat -P OUTPUT ACCEPT
        iptables -t nat -F
+       iptables -t nat -X
 }