add firewall script change from whiterussian to head

SVN-Revision: 1305
20 years ago · 02da5cee9d
parent f9e58fed16
commit 02da5cee9d
2 changed files with 43 additions and 10 deletions
--- a/openwrt/target/default/target_skeleton/etc/firewall.user
+++ b/openwrt/target/default/target_skeleton/etc/firewall.user
@ -0,0 +1,27 @@
+#!/bin/sh
+. /etc/functions.sh
+
+WAN=$(nvram get wan_ifname)
+LAN=$(nvram get lan_ifname)
+
+iptables -F input_rule
+iptables -F output_rule
+iptables -F forwarding_rule
+iptables -F prerouting_rule
+iptables -F postrouting_rule
+
+### BIG FAT DISCLAIMER
+### The "-i $WAN" literally means packets that came in over the $WAN interface;
+### this WILL NOT MATCH packets sent from the LAN to the WAN address.
+
+### Allow SSH from WAN
+# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT 
+# iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT
+
+### Port forwarding
+# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
+# iptables        -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
+
+### DMZ (should be placed after port forwarding / accept rules)
+# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
+# iptables        -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT
--- a/openwrt/target/default/target_skeleton/etc/init.d/S45firewall
+++ b/openwrt/target/default/target_skeleton/etc/init.d/S45firewall
@ -1,4 +1,7 @@
 #!/bin/sh
+
+## Please make changes in /etc/firewall.user
+
 . /etc/functions.sh
 WAN=$(nvram get wan_ifname)
 LAN=$(nvram get lan_ifname)
@ -25,15 +28,16 @@ iptables -t nat -N postrouting_rule
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j  DROP

-  # allow
-  iptables -A INPUT -i \! $WAN	-j ACCEPT	# allow from lan/wifi interfaces 
-  iptables -A INPUT -p icmp	-j ACCEPT	# allow ICMP
-  iptables -A INPUT -p gre	-j ACCEPT	# allow GRE
  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A INPUT -j input_rule

+  # allow
+  iptables -A INPUT -i \! $WAN	-j ACCEPT	# allow from lan/wifi interfaces 
+  iptables -A INPUT -p icmp	-j ACCEPT	# allow ICMP
+  iptables -A INPUT -p gre	-j ACCEPT	# allow GRE
+
  # reject (what to do with anything not allowed earlier)
  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
@ -46,13 +50,14 @@ iptables -t nat -N postrouting_rule
  iptables -A OUTPUT -m state --state INVALID -j DROP
  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-  # allow
-  iptables -A OUTPUT -j ACCEPT		#allow everything out
  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A OUTPUT -j output_rule

+  # allow
+  iptables -A OUTPUT -j ACCEPT		#allow everything out
+
  # reject (what to do with anything not allowed earlier)
  iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
  iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
@ -66,14 +71,15 @@ iptables -t nat -N postrouting_rule
  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-  # allow
-  iptables -A FORWARD -i br0 -o br0 -j ACCEPT
-  iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A FORWARD -j forwarding_rule

+  # allow
+  iptables -A FORWARD -i br0 -o br0 -j ACCEPT
+  iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
+
  # reject (what to do with anything not allowed earlier)
  # uses the default -P DROP

@ -83,4 +89,4 @@ iptables -t nat -N postrouting_rule
  iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

 ## USER RULES
-. /etc/firewall.user
+[ -f /etc/firewall.user ] && . /etc/firewall.user