openwrt/target/default/target_skeleton/etc/init.d/S45firewall

   1 #!/bin/sh
   2 . /etc/functions.sh
   3
   4 export WAN=$(nvram get wan_ifname)
   5 export IPT=/usr/sbin/iptables
   6
   7 for T in filter nat mangle ; do
   8   $IPT -t $T -F
   9   $IPT -t $T -X
  10 done
  11
  12 # initial rules
  13 $IPT -t filter -A INPUT -m state --state INVALID -j DROP
  14 $IPT -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  15 $IPT -t filter -A FORWARD -m state --state INVALID -j DROP
  16 $IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  17
  18 if [ -d /etc/firewall.d ]; then
  19         for fw in /etc/firewall.d/??*; do
  20                 [ -x $fw ] && $fw
  21         done
  22 fi
  23
  24 # defaults
  25
  26 $IPT -t filter -A INPUT -p icmp -j ACCEPT
  27 $IPT -t filter -A INPUT -p 47 -j ACCEPT # allow GRE
  28 $IPT -t filter -A INPUT -i $WAN -p tcp --syn --tcp-option \! 2 -j  DROP
  29 $IPT -t filter -A INPUT -i $WAN -p tcp -j REJECT --reject-with tcp-reset
  30 $IPT -t filter -A INPUT -i $WAN -j REJECT --reject-with icmp-port-unreachable
  31
  32 $IPT -t filter -A FORWARD -i br0 -o br0 -j ACCEPT
  33 $IPT -t filter -A FORWARD -i $WAN -m state --state NEW -j DROP
  34 $IPT -t filter -A FORWARD -o $WAN -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  35
  36 $IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE