$IPTABLES -P FORWARD DROP
$IPTABLES -F
- $IPTABLES -t mangle -F
$IPTABLES -t nat -F
- $IPTABLES -t mangle -X
$IPTABLES -t nat -X
$IPTABLES -X
-
- $IPTABLES -A INPUT -m state --state INVALID -j DROP
+
+ config_get_bool drop_invalid $1 drop_invalid 1
+
+ [ "$drop_invalid" -gt 0 ] && {
+ $IPTABLES -A INPUT -m state --state INVALID -j DROP
+ $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+ $IPTABLES -A FORWARD -m state --state INVALID -j DROP
+ }
+
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
- $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
- $IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-
+
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
config_foreach fw_defaults defaults
echo "Loading zones"
config_foreach fw_zone zone
- echo "Loading rules"
- config_foreach fw_rule rule
echo "Loading forwarding"
config_foreach fw_forwarding forwarding
echo "Loading redirects"
config_foreach fw_redirect redirect
+ echo "Loading rules"
+ config_foreach fw_rule rule
echo "Loading includes"
config_foreach fw_include include
uci_set_state firewall core loaded 1
fw_stop() {
$IPTABLES -F
- $IPTABLES -t mangle -F
$IPTABLES -t nat -F
- $IPTABLES -t mangle -X
$IPTABLES -t nat -X
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
projects / openwrt.git / blobdiff