X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/5eca1169a020f0d082a08ff282375f2ae2915503..fc209e5b5d1672e1982fb0d7f3588f9941548128:/package/iptables/files/firewall.init?ds=inline

diff --git a/package/iptables/files/firewall.init b/package/iptables/files/firewall.init
index 1e39d05fd..0da97f836 100755
--- a/package/iptables/files/firewall.init
+++ b/package/iptables/files/firewall.init
@@ -8,7 +8,15 @@ start() {
 	scan_interfaces
 	
 	config_get WAN wan ifname
+	config_get WANDEV wan device
 	config_get LAN lan ifname
+	config_get_bool NAT_LAN lan nat 1
+	if [ $NAT_LAN -ne 0 ]
+	then
+		config_get LAN_MASK lan netmask
+		config_get LAN_IP lan ipaddr
+		LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2)
+	fi
 	
 	## CLEAR TABLES
 	for T in filter nat; do
@@ -17,14 +25,19 @@ start() {
 	done
 	
 	iptables -N input_rule
+	iptables -N input_wan
 	iptables -N output_rule
 	iptables -N forwarding_rule
-	
+	iptables -N forwarding_wan
+
+	iptables -t nat -N NEW
 	iptables -t nat -N prerouting_rule
+	iptables -t nat -N prerouting_wan
 	iptables -t nat -N postrouting_rule
 	
 	iptables -N LAN_ACCEPT
 	[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
+	[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
 	iptables -A LAN_ACCEPT -j ACCEPT
 	
 	### INPUT
@@ -40,6 +53,7 @@ start() {
 	# insert accept rule or to jump to new accept-check table here
 	#
 	iptables -A INPUT -j input_rule
+	[ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
 	
 	# allow
 	iptables -A INPUT -j LAN_ACCEPT	# allow from lan/wifi interfaces 
@@ -83,23 +97,34 @@ start() {
 	# insert accept rule or to jump to new accept-check table here
 	#
 	iptables -A FORWARD -j forwarding_rule
+	[ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
 	
 	# allow
-	iptables -A FORWARD -i br0 -o br0 -j ACCEPT
+	iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
 	[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
 	
 	# reject (what to do with anything not allowed earlier)
 	# uses the default -P DROP
 	
 	### MASQ
+	iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW 
 	iptables -t nat -A PREROUTING -j prerouting_rule
+	[ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
 	iptables -t nat -A POSTROUTING -j postrouting_rule
-	[ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
-	
+	### Only LAN, unless told not to
+	if [ $NAT_LAN -ne 0 ]
+	then
+		[ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE
+	fi
+
+	iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
+		iptables -t nat -A NEW -j DROP
+
 	## USER RULES
 	[ -f /etc/firewall.user ] && . /etc/firewall.user
-	[ -n "$WAN" -a -e /etc/config/firewall ] && {
-		awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
+	[ -n "$WAN" -a -e /etc/firewall.config ] && {
+		export WAN
+		awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/firewall.config | ash
 	}
 }
 
@@ -108,8 +133,10 @@ stop() {
 	iptables -P OUTPUT ACCEPT
 	iptables -P FORWARD ACCEPT
 	iptables -F
+	iptables -X
 	iptables -t nat -P PREROUTING ACCEPT
 	iptables -t nat -P POSTROUTING ACCEPT
 	iptables -t nat -P OUTPUT ACCEPT
 	iptables -t nat -F
+	iptables -t nat -X
 }