You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
160 lines
3.4 KiB
160 lines
3.4 KiB
config defaults
|
|
option syn_flood 1
|
|
option input ACCEPT
|
|
option output ACCEPT
|
|
option forward REJECT
|
|
# Uncomment this line to disable ipv6 rules
|
|
# option disable_ipv6 1
|
|
|
|
config zone
|
|
option name lan
|
|
list network 'lan'
|
|
option input ACCEPT
|
|
option output ACCEPT
|
|
option forward ACCEPT
|
|
|
|
config zone
|
|
option name wan
|
|
list network 'wan'
|
|
list network 'wan6'
|
|
option input REJECT
|
|
option output ACCEPT
|
|
option forward REJECT
|
|
option masq 1
|
|
option mtu_fix 1
|
|
|
|
config forwarding
|
|
option src lan
|
|
option dest wan
|
|
|
|
# We need to accept udp packets on port 68,
|
|
# see https://dev.openwrt.org/ticket/4108
|
|
config rule
|
|
option name Allow-DHCP-Renew
|
|
option src wan
|
|
option proto udp
|
|
option dest_port 68
|
|
option target ACCEPT
|
|
option family ipv4
|
|
|
|
# Allow IPv4 ping
|
|
config rule
|
|
option name Allow-Ping
|
|
option src wan
|
|
option proto icmp
|
|
option icmp_type echo-request
|
|
option family ipv4
|
|
option target ACCEPT
|
|
|
|
config rule
|
|
option name Allow-IGMP
|
|
option src wan
|
|
option proto igmp
|
|
option family ipv4
|
|
option target ACCEPT
|
|
|
|
# Allow DHCPv6 replies
|
|
# see https://dev.openwrt.org/ticket/10381
|
|
config rule
|
|
option name Allow-DHCPv6
|
|
option src wan
|
|
option proto udp
|
|
option src_ip fe80::/10
|
|
option src_port 547
|
|
option dest_ip fe80::/10
|
|
option dest_port 546
|
|
option family ipv6
|
|
option target ACCEPT
|
|
|
|
config rule
|
|
option name Allow-MLD
|
|
option src wan
|
|
option proto icmp
|
|
option src_ip fe80::/10
|
|
list icmp_type '130/0'
|
|
list icmp_type '131/0'
|
|
list icmp_type '132/0'
|
|
list icmp_type '143/0'
|
|
option family ipv6
|
|
option target ACCEPT
|
|
|
|
# Allow essential incoming IPv6 ICMP traffic
|
|
config rule
|
|
option name Allow-ICMPv6-Input
|
|
option src wan
|
|
option proto icmp
|
|
list icmp_type echo-request
|
|
list icmp_type echo-reply
|
|
list icmp_type destination-unreachable
|
|
list icmp_type packet-too-big
|
|
list icmp_type time-exceeded
|
|
list icmp_type bad-header
|
|
list icmp_type unknown-header-type
|
|
list icmp_type router-solicitation
|
|
list icmp_type neighbour-solicitation
|
|
list icmp_type router-advertisement
|
|
list icmp_type neighbour-advertisement
|
|
option limit 1000/sec
|
|
option family ipv6
|
|
option target ACCEPT
|
|
|
|
# Allow essential forwarded IPv6 ICMP traffic
|
|
config rule
|
|
option name Allow-ICMPv6-Forward
|
|
option src wan
|
|
option dest *
|
|
option proto icmp
|
|
list icmp_type echo-request
|
|
list icmp_type echo-reply
|
|
list icmp_type destination-unreachable
|
|
list icmp_type packet-too-big
|
|
list icmp_type time-exceeded
|
|
list icmp_type bad-header
|
|
list icmp_type unknown-header-type
|
|
option limit 1000/sec
|
|
option family ipv6
|
|
option target ACCEPT
|
|
|
|
# include a file with users custom iptables rules
|
|
config include
|
|
option path /etc/firewall.user
|
|
|
|
#
|
|
#Additional rules to the LEDE default firewall entries above.
|
|
#
|
|
|
|
config zone
|
|
option name freifunk
|
|
list network freifunk
|
|
list network freifunk6
|
|
option input ACCEPT
|
|
option output ACCEPT
|
|
option forward REJECT
|
|
option masq 1
|
|
|
|
config forwarding
|
|
option src lan
|
|
option dest freifunk
|
|
|
|
|
|
###
|
|
### Example 1: forward port 20-21 to ftp-server on my lan network
|
|
###
|
|
|
|
#config redirect
|
|
# option src freifunk
|
|
# option src_dport 20-21
|
|
# option proto tcp
|
|
# option dest lan
|
|
# option dest_ip 192.168.1.5
|
|
|
|
###
|
|
### Example 2: forward port 445 to smb-server on my lan network
|
|
###
|
|
|
|
#config redirect
|
|
# option src freifunk
|
|
# option src_dport 445
|
|
# option proto tcp
|
|
# option dest lan
|
|
# option dest_ip 192.168.1.5
|
|
|