From 676c017ecfced2e37aeec176f8aa6b9df90024f3 Mon Sep 17 00:00:00 2001 From: nbd Date: Wed, 5 Apr 2006 02:09:22 +0000 Subject: large init script cleanup and merge of whiterussian changes, new dnsmasq config handling git-svn-id: svn://svn.openwrt.org/openwrt/trunk/openwrt@3588 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- package/iptables/Makefile | 7 +++ package/iptables/files/firewall.awk | 64 +++++++++++++++++++++++ package/iptables/files/firewall.config | 46 ++++++++++++++++ package/iptables/files/firewall.init | 95 ++++++++++++++++++++++++++++++++++ package/iptables/files/firewall.user | 31 +++++++++++ 5 files changed, 243 insertions(+) create mode 100644 package/iptables/files/firewall.awk create mode 100644 package/iptables/files/firewall.config create mode 100755 package/iptables/files/firewall.init create mode 100755 package/iptables/files/firewall.user (limited to 'package/iptables') diff --git a/package/iptables/Makefile b/package/iptables/Makefile index 298a9a9e0..f16ac8be4 100644 --- a/package/iptables/Makefile +++ b/package/iptables/Makefile @@ -72,6 +72,13 @@ $(PKG_BUILD_DIR)/.built: touch $@ $(IPKG_IPTABLES): + install -d -m0755 $(IDIR_IPTABLES)/etc/config + install -m0644 ./files/firewall.config $(IDIR_IPTABLES)/etc/config/firewall + install -d -m0755 $(IDIR_IPTABLES)/etc/init.d + install -m0755 ./files/firewall.init $(IDIR_IPTABLES)/etc/init.d/S45firewall + install -m0755 ./files/firewall.user $(IDIR_IPTABLES)/etc/ + install -d -m0755 $(IDIR_IPTABLES)/usr/lib + install -m0644 ./files/firewall.awk $(IDIR_IPTABLES)/usr/lib install -d -m0755 $(IDIR_IPTABLES)/usr/sbin $(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(IDIR_IPTABLES)/usr/sbin/ install -d -m0755 $(IDIR_IPTABLES)/usr/lib/iptables diff --git a/package/iptables/files/firewall.awk b/package/iptables/files/firewall.awk new file mode 100644 index 000000000..1b63f8386 --- /dev/null +++ b/package/iptables/files/firewall.awk @@ -0,0 +1,64 @@ +BEGIN { + print "proto=\"$wan_proto\"" + print "[ -z \"$proto\" -o \"$proto\" = \"none\" ] && exit" + print "ifname=\"$wan_ifname\"" + print "[ -z \"$ifname\" ] && exit" + print "" + print "iptables -X input_$ifname 2>&- >&-" + print "iptables -N input_$ifname" + print "iptables -X forward_$ifname 2>&- >&-" + print "iptables -N forward_$ifname" + print "iptables -t nat -X prerouting_$ifname 2>&- >&-" + print "iptables -t nat -N prerouting_$ifname" + print "" + print "iptables -A input_rule -i \"$ifname\" -j input_$ifname" + print "iptables -A forwarding_rule -i \"$ifname\" -j forward_$ifname" + print "iptables -t nat -A prerouting_rule -i \"$ifname\" -j prerouting_$ifname" + print "" + FS=":" +} + +($1 == "accept") || ($1 == "drop") || ($1 == "forward") { + delete _opt + str2data($2) + if ((_l["proto"] == "") && (_l["sport"] _l["dport"] != "")) { + _opt[0] = " -p tcp" + _opt[1] = " -p udp" + } else { + _opt[0] = "" + } +} + +($1 == "accept") { + target = " -j ACCEPT" + for (o in _opt) { + print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) target + print "iptables -A input_$ifname " _opt[o] str2ipt($2) target + print "" + } +} + +($1 == "drop") { + for (o in _opt) { + print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) " -j DROP" + print "" + } +} + +($1 == "forward") { + target = " -j DNAT --to " $3 + fwopts = "" + if ($4 != "") { + if ((_l["proto"] == "tcp") || (_l["proto"] == "udp") || (_l["proto"] == "")) { + if (_l["proto"] != "") fwopts = " -p " _l["proto"] + fwopts = fwopts " --dport " $4 + target = target ":" $4 + } + else fwopts = "" + } + for (o in _opt) { + print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) target + print "iptables -A forward_$ifname " _opt[o] " -d " $3 fwopts " -j ACCEPT" + print "" + } +} diff --git a/package/iptables/files/firewall.config b/package/iptables/files/firewall.config new file mode 100644 index 000000000..7edd4ba4e --- /dev/null +++ b/package/iptables/files/firewall.config @@ -0,0 +1,46 @@ +# RULE SYNTAX: +# +# forward::[:] +# - forwards all packets matched by to , +# optionally changing the port to +# +# accept: +# - accepts all traffic matched by +# +# drop: +# - drops all traffic matched by +# +# +# MATCHING OPTIONS: +# +# src= +# - match the source ip +# +# dest= +# - match the destination ip +# +# proto= +# - match the protocol by name or number +# +# sport= +# - match the source port(s), see below for syntax +# +# dport= +# - match the destination port(s), see below for syntax +# +# +# +# PORT SYNTAX: +# +# You can enter an arbitrary list of ports and port ranges in the following format: +# - 22,53,993,1000-1024 +# +# If you don't set the protocol to tcp or udp, it will apply to both +# +# +# +# EXAMPLES: +# +# drop:dport=22 src=1.3.3.7 +# accept:proto=tcp dport=22 +# forward:dport=60168:192.168.1.2:60169 diff --git a/package/iptables/files/firewall.init b/package/iptables/files/firewall.init new file mode 100755 index 000000000..3804d044f --- /dev/null +++ b/package/iptables/files/firewall.init @@ -0,0 +1,95 @@ +#!/bin/sh + +## Please make changes in /etc/firewall.user + +. /etc/config/network +WAN="$wan_ifname" +LAN="$lan_ifname" + +## CLEAR TABLES +for T in filter nat; do + iptables -t $T -F + iptables -t $T -X +done + +iptables -N input_rule +iptables -N output_rule +iptables -N forwarding_rule + +iptables -t nat -N prerouting_rule +iptables -t nat -N postrouting_rule + +### INPUT +### (connections with the router as destination) + + # base case + iptables -P INPUT DROP + iptables -A INPUT -m state --state INVALID -j DROP + iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP + + # + # insert accept rule or to jump to new accept-check table here + # + iptables -A INPUT -j input_rule + + # allow + [ -z "$WAN" ] || iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces + iptables -A INPUT -p icmp -j ACCEPT # allow ICMP + iptables -A INPUT -p gre -j ACCEPT # allow GRE + + # reject (what to do with anything not allowed earlier) + iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset + iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable + +### OUTPUT +### (connections with the router as source) + + # base case + iptables -P OUTPUT DROP + iptables -A OUTPUT -m state --state INVALID -j DROP + iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + + # + # insert accept rule or to jump to new accept-check table here + # + iptables -A OUTPUT -j output_rule + + # allow + iptables -A OUTPUT -j ACCEPT #allow everything out + + # reject (what to do with anything not allowed earlier) + iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset + iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable + +### FORWARDING +### (connections routed through the router) + + # base case + iptables -P FORWARD DROP + iptables -A FORWARD -m state --state INVALID -j DROP + iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + + # + # insert accept rule or to jump to new accept-check table here + # + iptables -A FORWARD -j forwarding_rule + + # allow + iptables -A FORWARD -i br0 -o br0 -j ACCEPT + [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT + + # reject (what to do with anything not allowed earlier) + # uses the default -P DROP + +### MASQ + iptables -t nat -A PREROUTING -j prerouting_rule + iptables -t nat -A POSTROUTING -j postrouting_rule + [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE + +## USER RULES +[ -f /etc/firewall.user ] && . /etc/firewall.user +[ -n "$WAN" -a -e /etc/config/firewall ] && { + awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash +} diff --git a/package/iptables/files/firewall.user b/package/iptables/files/firewall.user new file mode 100755 index 000000000..f13f50bf6 --- /dev/null +++ b/package/iptables/files/firewall.user @@ -0,0 +1,31 @@ +#!/bin/sh +. /etc/config/network + +WAN="$wan_ifname" +LAN="$lan_ifname" + +iptables -F input_rule +iptables -F output_rule +iptables -F forwarding_rule +iptables -t nat -F prerouting_rule +iptables -t nat -F postrouting_rule + +### BIG FAT DISCLAIMER +## The "-i $WAN" is used to match packets that come in via the $WAN interface. +## it WILL NOT MATCH packets sent from the $WAN ip address -- you won't be able +## to see the effects from within the LAN. + +### Open port to WAN +## -- This allows port 22 to be answered by (dropbear on) the router +# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT +# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT + +### Port forwarding +## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2 +# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80 +# iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT + +### DMZ +## -- Connections to ports not handled above will be forwarded to 192.168.1.2 +# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2 +# iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT -- cgit v1.2.3