package/base-files/default/etc/init.d/S45firewall

   1 #!/bin/sh
   2
   3 ## Please make changes in /etc/firewall.user
   4 ${FAILSAFE:+exit}
   5
   6 . /etc/functions.sh
   7 . /etc/network.overrides
   8 [ -e /etc/config/network] && . /etc/config/network
   9 WAN=$(nvram get wan_ifname)
  10 LAN=$(nvram get lan_ifname)
  11
  12 ## CLEAR TABLES
  13 for T in filter nat mangle; do
  14   iptables -t $T -F
  15   iptables -t $T -X
  16 done
  17
  18 iptables -N input_rule
  19 iptables -N output_rule
  20 iptables -N forwarding_rule
  21
  22 iptables -t nat -N prerouting_rule
  23 iptables -t nat -N postrouting_rule
  24
  25 ### INPUT
  26 ###  (connections with the router as destination)
  27
  28   # base case
  29   iptables -P INPUT DROP
  30   iptables -A INPUT -m state --state INVALID -j DROP
  31   iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  32   iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP
  33
  34   #
  35   # insert accept rule or to jump to new accept-check table here
  36   #
  37   iptables -A INPUT -j input_rule
  38
  39   # allow
  40   iptables -A INPUT -i \! $WAN  -j ACCEPT       # allow from lan/wifi interfaces
  41   iptables -A INPUT -p icmp     -j ACCEPT       # allow ICMP
  42   iptables -A INPUT -p gre      -j ACCEPT       # allow GRE
  43
  44   # reject (what to do with anything not allowed earlier)
  45   iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  46   iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
  47
  48 ### OUTPUT
  49 ### (connections with the router as source)
  50
  51   # base case
  52   iptables -P OUTPUT DROP
  53   iptables -A OUTPUT -m state --state INVALID -j DROP
  54   iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  55
  56   #
  57   # insert accept rule or to jump to new accept-check table here
  58   #
  59   iptables -A OUTPUT -j output_rule
  60
  61   # allow
  62   iptables -A OUTPUT -j ACCEPT          #allow everything out
  63
  64   # reject (what to do with anything not allowed earlier)
  65   iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
  66   iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
  67
  68 ### FORWARDING
  69 ### (connections routed through the router)
  70
  71   # base case
  72   iptables -P FORWARD DROP
  73   iptables -A FORWARD -m state --state INVALID -j DROP
  74   iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  75   iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  76
  77   #
  78   # insert accept rule or to jump to new accept-check table here
  79   #
  80   iptables -A FORWARD -j forwarding_rule
  81
  82   # allow
  83   iptables -A FORWARD -i br0 -o br0 -j ACCEPT
  84   iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
  85
  86   # reject (what to do with anything not allowed earlier)
  87   # uses the default -P DROP
  88
  89 ### MASQ
  90   iptables -t nat -A PREROUTING -j prerouting_rule
  91   iptables -t nat -A POSTROUTING -j postrouting_rule
  92   iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
  93
  94 ## USER RULES
  95 [ -f /etc/firewall.user ] && . /etc/firewall.user