#!/bin/sh
## Please make changes in /etc/firewall.user
+${FAILSAFE:+exit}
. /etc/functions.sh
+. /etc/network.overrides
+[ "$FAILSAFE" != "true" -a -e /etc/config/network ] && . /etc/config/network
+
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
## CLEAR TABLES
-for T in filter nat mangle; do
+for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -A INPUT -j input_rule
# allow
- iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
+ iptables -A INPUT ${WAN:+-i \! $WAN} -j ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
iptables -A FORWARD -j forwarding_rule
# allow
- iptables -A FORWARD -i br0 -o br0 -j ACCEPT
- iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
-
+ # if there is bridge splitting this workaround works too
+ for iface in $LAN; do
+ iptables -A FORWARD -i $iface -o $iface -j ACCEPT
+ [ -z "$WAN" ] || iptables -A FORWARD -i $iface -o $WAN -j ACCEPT
+ done
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule
- iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
+ [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user