summaryrefslogtreecommitdiffstats
path: root/target/default
diff options
context:
space:
mode:
Diffstat (limited to 'target/default')
-rwxr-xr-xtarget/default/target_skeleton/etc/firewall.user27
-rwxr-xr-xtarget/default/target_skeleton/etc/init.d/S45firewall26
2 files changed, 43 insertions, 10 deletions
diff --git a/target/default/target_skeleton/etc/firewall.user b/target/default/target_skeleton/etc/firewall.user
new file mode 100755
index 000000000..2ba6b4e83
--- /dev/null
+++ b/target/default/target_skeleton/etc/firewall.user
@@ -0,0 +1,27 @@
+#!/bin/sh
+. /etc/functions.sh
+
+WAN=$(nvram get wan_ifname)
+LAN=$(nvram get lan_ifname)
+
+iptables -F input_rule
+iptables -F output_rule
+iptables -F forwarding_rule
+iptables -F prerouting_rule
+iptables -F postrouting_rule
+
+### BIG FAT DISCLAIMER
+### The "-i $WAN" literally means packets that came in over the $WAN interface;
+### this WILL NOT MATCH packets sent from the LAN to the WAN address.
+
+### Allow SSH from WAN
+# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
+# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
+
+### Port forwarding
+# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
+# iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
+
+### DMZ (should be placed after port forwarding / accept rules)
+# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
+# iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT
diff --git a/target/default/target_skeleton/etc/init.d/S45firewall b/target/default/target_skeleton/etc/init.d/S45firewall
index 8f9b9404e..dc429f272 100755
--- a/target/default/target_skeleton/etc/init.d/S45firewall
+++ b/target/default/target_skeleton/etc/init.d/S45firewall
@@ -1,4 +1,7 @@
#!/bin/sh
+
+## Please make changes in /etc/firewall.user
+
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
@@ -25,15 +28,16 @@ iptables -t nat -N postrouting_rule
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP
- # allow
- iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
- iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
- iptables -A INPUT -p gre -j ACCEPT # allow GRE
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
+ # allow
+ iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
+ iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
+ iptables -A INPUT -p gre -j ACCEPT # allow GRE
+
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
@@ -46,13 +50,14 @@ iptables -t nat -N postrouting_rule
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- # allow
- iptables -A OUTPUT -j ACCEPT #allow everything out
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
+ # allow
+ iptables -A OUTPUT -j ACCEPT #allow everything out
+
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
@@ -66,14 +71,15 @@ iptables -t nat -N postrouting_rule
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- # allow
- iptables -A FORWARD -i br0 -o br0 -j ACCEPT
- iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
+ # allow
+ iptables -A FORWARD -i br0 -o br0 -j ACCEPT
+ iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
+
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
@@ -83,4 +89,4 @@ iptables -t nat -N postrouting_rule
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
## USER RULES
-. /etc/firewall.user
+[ -f /etc/firewall.user ] && . /etc/firewall.user