X-Git-Url: http://git.rohieb.name/openwrt.git/blobdiff_plain/90335cdd41957de7a859232df826cc2bdfc4f3b3..dd755e947f8ae1e657dfa6c16b7756d78074e013:/target/default/target_skeleton/etc/init.d/S45firewall?ds=inline diff --git a/target/default/target_skeleton/etc/init.d/S45firewall b/target/default/target_skeleton/etc/init.d/S45firewall index da9fd550f..a50663725 100755 --- a/target/default/target_skeleton/etc/init.d/S45firewall +++ b/target/default/target_skeleton/etc/init.d/S45firewall @@ -1,7 +1,7 @@ #!/bin/sh . /etc/functions.sh -export WAN=$(nvram get wan_ifname) -export LAN=$(nvram get lan_ifname) +WAN=$(nvram get wan_ifname) +LAN=$(nvram get lan_ifname) ## CLEAR TABLES for T in filter nat mangle; do @@ -17,8 +17,8 @@ iptables -t nat -N prerouting_rule iptables -t nat -N postrouting_rule ### Port forwarding -# iptables -t nat -A prerouting_rule -p tcp --dport 22 -j DNAT --to 192.168.1.2 -# iptables -A forwarding_rule -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT +# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2 +# iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT ### INPUT ### (connections with the router as destination) @@ -27,18 +27,18 @@ iptables -t nat -N postrouting_rule iptables -P INPUT DROP iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP # allow - iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces - iptables -A INPUT -p icmp -j ACCEPT # allow ICMP - iptables -A INPUT -p 47 -j ACCEPT # allow GRE + iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces + iptables -A INPUT -p icmp -j ACCEPT # allow ICMP + iptables -A INPUT -p gre -j ACCEPT # allow GRE # # insert accept rule or to jump to new accept-check table here # iptables -A INPUT -j input_rule # reject (what to do with anything not allowed earlier) - iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable