3 ## Please make changes in /etc/firewall.user
7 .
/etc
/network.overrides
8 [ "$FAILSAFE" != "true" -a -e /etc
/config
/network
] && .
/etc
/config
/network
10 WAN
=$
(nvram get wan_ifname
)
11 LAN
=$
(nvram get lan_ifname
)
14 for T
in filter nat
; do
19 iptables
-N input_rule
20 iptables
-N output_rule
21 iptables
-N forwarding_rule
23 iptables
-t nat
-N prerouting_rule
24 iptables
-t nat
-N postrouting_rule
27 ### (connections with the router as destination)
30 iptables
-P INPUT DROP
31 iptables
-A INPUT
-m state
--state INVALID
-j DROP
32 iptables
-A INPUT
-m state
--state RELATED
,ESTABLISHED
-j ACCEPT
33 iptables
-A INPUT
-p tcp
--tcp-flags SYN SYN
--tcp-option \
! 2 -j DROP
36 # insert accept rule or to jump to new accept-check table here
38 iptables
-A INPUT
-j input_rule
41 iptables
-A INPUT
${WAN:+-i \! $WAN} -j ACCEPT
# allow from lan/wifi interfaces
42 iptables
-A INPUT
-p icmp
-j ACCEPT
# allow ICMP
43 iptables
-A INPUT
-p gre
-j ACCEPT
# allow GRE
45 # reject (what to do with anything not allowed earlier)
46 iptables
-A INPUT
-p tcp
-j REJECT
--reject-with tcp-reset
47 iptables
-A INPUT
-j REJECT
--reject-with icmp-port-unreachable
50 ### (connections with the router as source)
53 iptables
-P OUTPUT DROP
54 iptables
-A OUTPUT
-m state
--state INVALID
-j DROP
55 iptables
-A OUTPUT
-m state
--state RELATED
,ESTABLISHED
-j ACCEPT
58 # insert accept rule or to jump to new accept-check table here
60 iptables
-A OUTPUT
-j output_rule
63 iptables
-A OUTPUT
-j ACCEPT
#allow everything out
65 # reject (what to do with anything not allowed earlier)
66 iptables
-A OUTPUT
-p tcp
-j REJECT
--reject-with tcp-reset
67 iptables
-A OUTPUT
-j REJECT
--reject-with icmp-port-unreachable
70 ### (connections routed through the router)
73 iptables
-P FORWARD DROP
74 iptables
-A FORWARD
-m state
--state INVALID
-j DROP
75 iptables
-A FORWARD
-p tcp
--tcp-flags SYN
,RST SYN
-j TCPMSS
--clamp-mss-to-pmtu
76 iptables
-A FORWARD
-m state
--state RELATED
,ESTABLISHED
-j ACCEPT
79 # insert accept rule or to jump to new accept-check table here
81 iptables
-A FORWARD
-j forwarding_rule
84 # if there is bridge splitting this workaround works too
86 iptables
-A FORWARD
-i $iface -o $iface -j ACCEPT
87 [ -z "$WAN" ] || iptables
-A FORWARD
-i $iface -o $WAN -j ACCEPT
89 # reject (what to do with anything not allowed earlier)
90 # uses the default -P DROP
93 iptables
-t nat
-A PREROUTING
-j prerouting_rule
94 iptables
-t nat
-A POSTROUTING
-j postrouting_rule
95 [ -z "$WAN" ] || iptables
-t nat
-A POSTROUTING
-o $WAN -j MASQUERADE
98 [ -f /etc
/firewall.user
] && .
/etc
/firewall.user
This page took 0.056933 seconds and 5 git commands to generate.