diff options
author | Felix Fietkau <nbd@openwrt.org> | 2006-10-07 11:57:20 +0000 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2006-10-07 11:57:20 +0000 |
commit | d58a09110ccfa95f06c983fe796806f2e035c9d2 (patch) | |
tree | 4b825dc642cb6eb9a060e54bf8d69288fbee4904 /openwrt/package/iptables/files/firewall.init | |
parent | af034797eeb62b62ac05442d5a688b28ccd0f16b (diff) | |
download | mtk-20170518-d58a09110ccfa95f06c983fe796806f2e035c9d2.zip mtk-20170518-d58a09110ccfa95f06c983fe796806f2e035c9d2.tar.gz mtk-20170518-d58a09110ccfa95f06c983fe796806f2e035c9d2.tar.bz2 |
move old kamikaze out of trunk - will put buildroot-ng in there as soon as all the developers are ready
SVN-Revision: 4944
Diffstat (limited to 'openwrt/package/iptables/files/firewall.init')
-rwxr-xr-x | openwrt/package/iptables/files/firewall.init | 95 |
1 files changed, 0 insertions, 95 deletions
diff --git a/openwrt/package/iptables/files/firewall.init b/openwrt/package/iptables/files/firewall.init deleted file mode 100755 index ad014cb..0000000 --- a/openwrt/package/iptables/files/firewall.init +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/sh - -## Please make changes in /etc/firewall.user - -. /etc/config/network -WAN="$wan_ifname" -LAN="$lan_ifname" - -## CLEAR TABLES -for T in filter nat; do - iptables -t $T -F - iptables -t $T -X -done - -iptables -N input_rule -iptables -N output_rule -iptables -N forwarding_rule - -iptables -t nat -N prerouting_rule -iptables -t nat -N postrouting_rule - -### INPUT -### (connections with the router as destination) - - # base case - iptables -P INPUT DROP - iptables -A INPUT -m state --state INVALID -j DROP - iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP - - # - # insert accept rule or to jump to new accept-check table here - # - iptables -A INPUT -j input_rule - - # allow - iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT # allow from all interfaces except for wan - iptables -A INPUT -p icmp -j ACCEPT # allow ICMP - iptables -A INPUT -p gre -j ACCEPT # allow GRE - - # reject (what to do with anything not allowed earlier) - iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset - iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable - -### OUTPUT -### (connections with the router as source) - - # base case - iptables -P OUTPUT DROP - iptables -A OUTPUT -m state --state INVALID -j DROP - iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - - # - # insert accept rule or to jump to new accept-check table here - # - iptables -A OUTPUT -j output_rule - - # allow - iptables -A OUTPUT -j ACCEPT #allow everything out - - # reject (what to do with anything not allowed earlier) - iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset - iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable - -### FORWARDING -### (connections routed through the router) - - # base case - iptables -P FORWARD DROP - iptables -A FORWARD -m state --state INVALID -j DROP - iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - - # - # insert accept rule or to jump to new accept-check table here - # - iptables -A FORWARD -j forwarding_rule - - # allow - iptables -A FORWARD -i br0 -o br0 -j ACCEPT - [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT - - # reject (what to do with anything not allowed earlier) - # uses the default -P DROP - -### MASQ - iptables -t nat -A PREROUTING -j prerouting_rule - iptables -t nat -A POSTROUTING -j postrouting_rule - [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE - -## USER RULES -[ -f /etc/firewall.user ] && . /etc/firewall.user -[ -n "$WAN" -a -e /etc/config/firewall ] && { - awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash -} |