path: root/package/iptables/files/firewall.init

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

## Please make changes in /etc/firewall.user
START=45
start() {
	include /lib/network
	scan_interfaces
	
	config_get WAN wan ifname
	config_get WANDEV wan device
	config_get LAN lan ifname
	
	## CLEAR TABLES
	for T in filter nat; do
		iptables -t $T -F
		iptables -t $T -X
	done
	
	iptables -N input_rule
	iptables -N input_wan
	iptables -N output_rule
	iptables -N forwarding_rule
	iptables -N forwarding_wan

	iptables -t nat -N NEW
	iptables -t nat -N prerouting_rule
	iptables -t nat -N prerouting_wan
	iptables -t nat -N postrouting_rule
	
	iptables -N LAN_ACCEPT
	[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
	[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
	iptables -A LAN_ACCEPT -j ACCEPT
	
	### INPUT
	###  (connections with the router as destination)
	
	# base case
	iptables -P INPUT DROP
	iptables -A INPUT -m state --state INVALID -j DROP
	iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP
	
	#
	# insert accept rule or to jump to new accept-check table here
	#
	iptables -A INPUT -j input_rule
	[ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
	
	# allow
	iptables -A INPUT -j LAN_ACCEPT	# allow from lan/wifi interfaces 
	iptables -A INPUT -p icmp	-j ACCEPT	# allow ICMP
	iptables -A INPUT -p gre	-j ACCEPT	# allow GRE
	
	# reject (what to do with anything not allowed earlier)
	iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
	iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
	
	### OUTPUT
	### (connections with the router as source)
	
	# base case
	iptables -P OUTPUT DROP
	iptables -A OUTPUT -m state --state INVALID -j DROP
	iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	
	#
	# insert accept rule or to jump to new accept-check table here
	#
	iptables -A OUTPUT -j output_rule
	
	# allow
	iptables -A OUTPUT -j ACCEPT		#allow everything out
	
	# reject (what to do with anything not allowed earlier)
	iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
	iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
	
	### FORWARDING
	### (connections routed through the router)
	
	# base case
	iptables -P FORWARD DROP 
	iptables -A FORWARD -m state --state INVALID -j DROP
	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
	iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
	
	#
	# insert accept rule or to jump to new accept-check table here
	#
	iptables -A FORWARD -j forwarding_rule
	[ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
	
	# allow
	iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
	[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
	
	# reject (what to do with anything not allowed earlier)
	# uses the default -P DROP
	
	### MASQ
	iptables -t nat -A PREROUTING -m state --state NEW -j NEW 
	iptables -t nat -A PREROUTING -j prerouting_rule
	[ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
	iptables -t nat -A POSTROUTING -j postrouting_rule
	[ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

	iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
		iptables -t nat -A NEW -j DROP

	## USER RULES
	[ -f /etc/firewall.user ] && . /etc/firewall.user
	[ -n "$WAN" -a -e /etc/config/firewall ] && {
		export WAN
		awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
	}
}

stop() {
	iptables -P INPUT ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -F
	iptables -X
	iptables -t nat -P PREROUTING ACCEPT
	iptables -t nat -P POSTROUTING ACCEPT
	iptables -t nat -P OUTPUT ACCEPT
	iptables -t nat -F
	iptables -t nat -X
}