1 #!/bin/sh /etc/rc.common
2 # Copyright (C) 2006 OpenWrt.org
4 ## Please make changes in /etc/firewall.user
10 config_get WAN wan ifname
11 config_get WANDEV wan device
12 config_get LAN lan ifname
15 for T in filter nat; do
20 iptables -N input_rule
21 iptables -N output_rule
22 iptables -N forwarding_rule
24 iptables -t nat -N prerouting_rule
25 iptables -t nat -N postrouting_rule
27 iptables -N LAN_ACCEPT
28 [ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
29 [ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
30 iptables -A LAN_ACCEPT -j ACCEPT
33 ### (connections with the router as destination)
36 iptables -P INPUT DROP
37 iptables -A INPUT -m state --state INVALID -j DROP
38 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
39 iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
42 # insert accept rule or to jump to new accept-check table here
44 iptables -A INPUT -j input_rule
47 iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
48 iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
49 iptables -A INPUT -p gre -j ACCEPT # allow GRE
51 # reject (what to do with anything not allowed earlier)
52 iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
53 iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
56 ### (connections with the router as source)
59 iptables -P OUTPUT DROP
60 iptables -A OUTPUT -m state --state INVALID -j DROP
61 iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
64 # insert accept rule or to jump to new accept-check table here
66 iptables -A OUTPUT -j output_rule
69 iptables -A OUTPUT -j ACCEPT #allow everything out
71 # reject (what to do with anything not allowed earlier)
72 iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
73 iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
76 ### (connections routed through the router)
79 iptables -P FORWARD DROP
80 iptables -A FORWARD -m state --state INVALID -j DROP
81 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
82 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
85 # insert accept rule or to jump to new accept-check table here
87 iptables -A FORWARD -j forwarding_rule
90 iptables -A FORWARD -i br0 -o br0 -j ACCEPT
91 [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
93 # reject (what to do with anything not allowed earlier)
94 # uses the default -P DROP
97 iptables -t nat -A PREROUTING -j prerouting_rule
98 iptables -t nat -A POSTROUTING -j postrouting_rule
99 [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
102 [ -f /etc/firewall.user ] && . /etc/firewall.user
103 [ -n "$WAN" -a -e /etc/config/firewall ] && {
104 awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
109 iptables -P INPUT ACCEPT
110 iptables -P OUTPUT ACCEPT
111 iptables -P FORWARD ACCEPT
113 iptables -t nat -P PREROUTING ACCEPT
114 iptables -t nat -P POSTROUTING ACCEPT
115 iptables -t nat -P OUTPUT ACCEPT