summaryrefslogtreecommitdiff
path: root/package/firewall
diff options
context:
space:
mode:
authorJohn Crispin <john@openwrt.org>2008-08-04 11:51:58 +0000
committerJohn Crispin <john@openwrt.org>2008-08-04 11:51:58 +0000
commit21bbdc24c397671e68606e846837f28df89a5a23 (patch)
tree372396ee96fd78a83bbffd5e33c073f5c6b9fb25 /package/firewall
parente4a0bfec3c1c9aaa59f4bd41182d394ec0ceb91d (diff)
downloadmtk-20170518-21bbdc24c397671e68606e846837f28df89a5a23.zip
mtk-20170518-21bbdc24c397671e68606e846837f28df89a5a23.tar.gz
mtk-20170518-21bbdc24c397671e68606e846837f28df89a5a23.tar.bz2
adds a new uci firewall - iptbales and netfilter packages need to be rewrapped when we switch to this firewall as default - there are some examples in the file /etc/config/firewall - iptables-save/restore are still missing - hotplug takes care of adding/removing netdevs during runtime - misisng features ? wishes ? let me know ...
SVN-Revision: 12089
Diffstat (limited to 'package/firewall')
-rw-r--r--package/firewall/Config.in17
-rw-r--r--package/firewall/Makefile69
-rw-r--r--package/firewall/files/new/20-firewall41
-rwxr-xr-xpackage/firewall/files/new/firewall.config80
-rwxr-xr-xpackage/firewall/files/new/firewall.init14
-rwxr-xr-xpackage/firewall/files/new/uci_firewall.sh291
-rw-r--r--package/firewall/files/old/firewall.awk50
-rw-r--r--package/firewall/files/old/firewall.config48
-rwxr-xr-xpackage/firewall/files/old/firewall.init142
-rw-r--r--package/firewall/files/old/firewall.user30
10 files changed, 782 insertions, 0 deletions
diff --git a/package/firewall/Config.in b/package/firewall/Config.in
new file mode 100644
index 0000000..616b020
--- /dev/null
+++ b/package/firewall/Config.in
@@ -0,0 +1,17 @@
+choice
+ prompt "Choose firewall"
+ default FIREWALL_OLD
+ depends PACKAGE_firewall
+
+config FIREWALL_OLD
+ bool "old firewall"
+
+config FIREWALL_NEW
+ bool "new uci firewall"
+ select PACKAGE_iptables-mod-conntrack
+ select PACKAGE_iptables-mod-extra
+ select PACKAGE_iptables-mod-ipopt
+ select PACKAGE_iptables-mod-ulog
+ select PACKAGE_kmod-ipt-nathelper
+
+endchoice
diff --git a/package/firewall/Makefile b/package/firewall/Makefile
new file mode 100644
index 0000000..e073b57
--- /dev/null
+++ b/package/firewall/Makefile
@@ -0,0 +1,69 @@
+#
+# Copyright (C) 2008 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=firewall
+
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/firewall
+ SECTION:=net
+ CATEGORY:=Base system
+ URL:=http://openwrt.org/
+ TITLE:=OpenWrt firewall
+ DEPENDS:=+iptables
+endef
+
+define Package/firewall/description
+ firewall for openwrt, you can select if you want to use the old version or the new uci based script
+endef
+
+define Package/firewall/config
+ source "$(SOURCE)/Config.in"
+endef
+
+define Build/Compile
+ true
+endef
+
+ifeq ($(CONFIG_FIREWALL_NEW),y)
+define Package/firewall/conffiles
+/etc/config/firewall
+endef
+
+define Package/firewall/install
+ $(INSTALL_DIR) $(1)/lib/firewall
+ $(INSTALL_DATA) ./files/new/uci_firewall.sh $(1)/lib/firewall
+ $(INSTALL_DIR) $(1)/etc/config
+ $(INSTALL_DATA) ./files/new/firewall.config $(1)/etc/config/firewall
+ $(INSTALL_DIR) $(1)/etc/init.d/
+ $(INSTALL_BIN) ./files/new/firewall.init $(1)/etc/init.d/firewall
+ $(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+ $(INSTALL_DATA) ./files/new/20-firewall $(1)/etc/hotplug.d/iface
+endef
+
+else
+
+define Package/firewall/conffiles
+/etc/firewall.config
+/etc/firewall.user
+endef
+
+define Package/firewall/install
+ $(INSTALL_DIR) $(1)/etc/config
+ $(INSTALL_DATA) ./files/old/firewall.config $(1)/etc/
+ $(INSTALL_DIR) $(1)/etc/init.d
+ $(INSTALL_BIN) ./files/old/firewall.init $(1)/etc/init.d/firewall
+ $(INSTALL_BIN) ./files/old/firewall.user $(1)/etc/
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(INSTALL_DATA) ./files/old/firewall.awk $(1)/usr/lib
+endef
+endif
+$(eval $(call BuildPackage,firewall))
diff --git a/package/firewall/files/new/20-firewall b/package/firewall/files/new/20-firewall
new file mode 100644
index 0000000..a8ce17c
--- /dev/null
+++ b/package/firewall/files/new/20-firewall
@@ -0,0 +1,41 @@
+. /lib/firewall/uci_firewall.sh
+unset ZONE
+config_get ifname $INTERFACE ifname
+INTERFACE=$ifname
+[ "$INTERFACE" == "lo" ] && exit 0
+load_zones() {
+ local name
+ local network
+ config_get name $1 name
+ config_get network $1 network
+ [ -z "$network" ] && return
+ for n in $network; do
+ local ifname
+ config_get ifname $n ifname
+ list_contains ifname $INTERFACE && {
+ list_contains ZONE $name || ZONE="$ZONE $name"
+ }
+ done
+}
+
+config_foreach load_zones zone
+
+IFACE=$(find_config $INTERFACE)
+[ -n "$IFACE" ] &&
+ list_contains ZONE $IFACE || ZONE="$ZONE $IFACE"
+
+[ ifup = "$ACTION" ] && {
+ for z in $ZONE; do
+ local loaded
+ config_get loaded core loaded
+ [ -n "$loaded" ] && addif $INTERFACE $z
+ done
+}
+
+[ ifdown = "$ACTION" ] && {
+ for z in $ZONE; do
+ local up
+ config_get up $z up
+ [ "$up" == "1" ] && delif $INTERFACE $z
+ done
+}
diff --git a/package/firewall/files/new/firewall.config b/package/firewall/files/new/firewall.config
new file mode 100755
index 0000000..0731690
--- /dev/null
+++ b/package/firewall/files/new/firewall.config
@@ -0,0 +1,80 @@
+config defaults
+ option syn_flood 1
+ option input DROP
+ option output ACCEPT
+ option forward DROP
+
+config zone
+ option name lan
+ option input ACCEPT
+ option output ACCEPT
+ option forward DROP
+
+config zone
+ option name wan
+ option input DROP
+ option output ACCEPT
+ option forward DROP
+ option masq 1
+
+config forwarding
+ option src lan
+ option dest wan
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+# option src lan
+# option src_ip 192.168.45.2
+# option dest wan
+# option proto tcp
+# option target REJECT
+
+# block a specific mac on wan
+#config rule
+# option dest wan
+# option src_mac 00:11:22:33:44:66
+# option target REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+# option src lan
+# option proto ICMP
+# option target DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+# option src wan
+# option src_dport 80
+# option dest lan
+# option dest_ip 192.168.16.235
+# option dest_port 80
+# option protocol tcp
+
+# include a file with users custom iptables rules
+#config include
+# option path /etc/firewall.user
+
+
+### FULL CONFIG SECTIONS
+#config rule
+# option src lan
+# option src_ip 192.168.45.2
+# option src_mac 00:11:22:33:44:55
+# option src_port 80
+# option dest wan
+# option dest_ip 194.25.2.129
+# option dest_port 120
+# option proto tcp
+# option target REJECT
+
+#config redirect
+# option src lan
+# option src_ip 192.168.45.2
+# option src_mac 00:11:22:33:44:55
+# option src_port 1024
+# option src_dport 80
+# option dest_ip 194.25.2.129
+# option dest_port 120
+# option proto tcp
diff --git a/package/firewall/files/new/firewall.init b/package/firewall/files/new/firewall.init
new file mode 100755
index 0000000..26855f3
--- /dev/null
+++ b/package/firewall/files/new/firewall.init
@@ -0,0 +1,14 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2008 OpenWrt.org
+
+START=45
+
+start() {
+ . /lib/firewall/uci_firewall.sh
+ fw_init
+}
+
+stop() {
+ . /lib/firewall/uci_firewall.sh
+ fw_stop
+}
diff --git a/package/firewall/files/new/uci_firewall.sh b/package/firewall/files/new/uci_firewall.sh
new file mode 100755
index 0000000..dcb9c10
--- /dev/null
+++ b/package/firewall/files/new/uci_firewall.sh
@@ -0,0 +1,291 @@
+#!/bin/sh
+# Copyright (C) 2008 John Crispin <blogic@openwrt.org>
+
+. /etc/functions.sh
+
+IPTABLES="echo iptables"
+IPTABLES=iptables
+
+config_clear
+include /lib/network
+scan_interfaces
+
+CONFIG_APPEND=1
+config_load firewall
+
+config fw_zones
+ZONE_LIST=$CONFIG_SECTION
+
+DEF_INPUT=DROP
+DEF_OUTPUT=DROP
+DEF_FORWARD=DROP
+
+load_policy() {
+ config_get input $1 input
+ config_get output $1 output
+ config_get forward $1 forward
+
+ [ -z "$input" ] && input=$DEF_INPUT
+ [ -z "$output" ] && output=$DEF_OUTPUT
+ [ -z "$forward" ] && forward=$DEF_FORWARD
+}
+
+create_zone() {
+ local exists
+
+ [ "$1" == "loopback" ] && return
+
+ config_get exists $ZONE_LIST $1
+ [ -n "$exists" ] && return
+ config_set $ZONE_LIST $1 1
+
+ $IPTABLES -N zone_$1
+ $IPTABLES -N zone_$1_ACCEPT
+ $IPTABLES -N zone_$1_DROP
+ $IPTABLES -N zone_$1_REJECT
+ $IPTABLES -N zone_$1_forward
+ $IPTABLES -A zone_$1_forward -j zone_$1_$5
+ $IPTABLES -A zone_$1 -j zone_$1_$3
+ $IPTABLES -A OUTPUT -j zone_$1_$4
+ $IPTABLES -N zone_$1_nat -t nat
+ $IPTABLES -N zone_$1_prerouting -t nat
+ [ "$6" == "1" ] && $IPTABLES -t nat -A POSTROUTING -j zone_$2_nat
+}
+
+addif() {
+ logger "adding $1 to firewall zone $2"
+ $IPTABLES -A INPUT -i $1 -j zone_$2
+ $IPTABLES -I zone_$2_ACCEPT 1 -o $1 -j ACCEPT
+ $IPTABLES -I zone_$2_DROP 1 -o $1 -j DROP
+ $IPTABLES -I zone_$2_REJECT 1 -o $1 -j REJECT
+ $IPTABLES -I zone_$2_ACCEPT 1 -i $1 -j ACCEPT
+ $IPTABLES -I zone_$2_DROP 1 -i $1 -j DROP
+ $IPTABLES -I zone_$2_REJECT 1 -i $1 -j REJECT
+ $IPTABLES -I zone_$2_nat 1 -t nat -o $1 -j MASQUERADE
+ $IPTABLES -I PREROUTING 1 -t nat -i $1 -j zone_$2_prerouting
+ $IPTABLES -A FORWARD -i $1 -j zone_$2_forward
+}
+
+delif() {
+ logger "removing $1 from firewall zone $2"
+ $IPTABLES -D INPUT -i $1 -j zone_$2
+ $IPTABLES -D zone_$2_ACCEPT -o $1 -j ACCEPT
+ $IPTABLES -D zone_$2_DROP -o $1 -j DROP
+ $IPTABLES -D zone_$2_REJECT -o $1 -j REJECT
+ $IPTABLES -D zone_$2_ACCEPT -i $1 -j ACCEPT
+ $IPTABLES -D zone_$2_DROP -i $1 -j DROP
+ $IPTABLES -D zone_$2_REJECT -i $1 -j REJECT
+ $IPTABLES -D zone_$2_nat -t nat -o $1 -j MASQUERADE
+ $IPTABLES -D PREROUTING -t nat -i $1 -j zone_$2_prerouting
+ $IPTABLES -D FORWARD -i $1 -j zone_$2_forward
+}
+
+load_synflood() {
+ echo "Loading synflood protection"
+ $IPTABLES -N SYN_FLOOD
+ $IPTABLES -A SYN_FLOOD -p tcp --syn -m limit --limit ${1}/second --limit-burst $2 -j RETURN
+ $IPTABLES -A SYN_FLOOD -p ! tcp -j RETURN
+ $IPTABLES -A SYN_FLOOD -p tcp ! --syn -j RETURN
+ $IPTABLES -A SYN_FLOOD -j LOG --log-prefix "syn_flood: "
+ $IPTABLES -A SYN_FLOOD -j DROP
+ $IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
+}
+
+create_network_zone() {
+ create_zone "$1" "$1"
+}
+
+fw_defaults() {
+ load_policy $1
+ DEF_INPUT=$input
+ DEF_OUTPUT=$output
+ DEF_FORWARD=$forward
+
+ echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+ for f in /proc/sys/net/ipv4/conf/*/accept_redirects
+ do
+ echo 0 > $f
+ done
+ for f in /proc/sys/net/ipv4/conf/*/accept_source_route
+ do
+ echo 0 > $f
+ done
+
+ $IPTABLES -F
+ $IPTABLES -t nat -F
+ $IPTABLES -t mangle -F
+ $IPTABLES -X -t nat
+ $IPTABLES -X
+
+ $IPTABLES -P INPUT $input
+ $IPTABLES -A INPUT -m state --state INVALID -j DROP
+ $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+ $IPTABLES -P OUTPUT $output
+ $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+ $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+ $IPTABLES -P FORWARD $forward
+ $IPTABLES -A FORWARD -m state --state INVALID -j DROP
+ $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+ $IPTABLES -A INPUT -i lo -j ACCEPT
+ $IPTABLES -A OUTPUT -o lo -j ACCEPT
+
+ config_get syn_flood $1 syn_flood
+ config_get syn_rate $1 syn_rate
+ config_get syn_burst $1 syn_burst
+
+ [ -z "$syn_rate" ] && syn_rate=25
+ [ -z "$syn_burst" ] && syn_burst=50
+ [ "$syn_flood" == "1" ] && load_synflood $syn_rate $syn_burst
+}
+
+fw_zone() {
+ local name
+ local network
+ local masq
+
+ config_get name $1 name
+ config_get network $1 network
+ config_get masq $1 masq
+ load_policy $1
+
+ [ -z "$network" ] && network=$name
+ create_zone "$name" "$network" "$input" "$output" "$forward" "$masq"
+}
+
+fw_rule() {
+ local src
+ local src_ip
+ local src_mac
+ local src_port
+ local src_mac
+ local dest
+ local dest_ip
+ local dest_port
+ local proto
+ local target
+
+ config_get src $1 src
+ config_get src_ip $1 src_ip
+ config_get src_mac $1 src_mac
+ config_get src_port $1 src_port
+ config_get dest $1 dest
+ config_get dest_ip $1 dest_ip
+ config_get dest_port $1 dest_port
+ config_get proto $1 proto
+ config_get target $1 target
+ config_get ruleset $1 ruleset
+
+ [ -z "$target" ] && target=DROP
+ [ -n "$src" ] && ZONE=zone_$src || ZONE=INPUT
+ [ -n "$dest" ] && TARGET=zone_${dest}_$target || TARGET=$target
+ $IPTABLES -I $ZONE 1 \
+ ${proto:+-p $proto} \
+ ${src_ip:+-s $src_ip} \
+ ${src_port:+--sport $src_port} \
+ ${src_mac:+-m mac --mac-source $src_mac} \
+ ${dest_ip:+-d $dest_ip} \
+ ${dest_port:+--dport $dest_port} \
+ -j $TARGET
+}
+
+fw_forwarding() {
+ local src
+ local dest
+ local masq
+
+ config_get src $1 src
+ config_get dest $1 dest
+ [ -n "$src" ] && z_src=zone_${src}_forward || z_src=FORWARD
+ [ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT
+ $IPTABLES -I $z_src 1 -j $z_dest
+}
+
+fw_redirect() {
+ local src
+ local src_ip
+ local src_port
+ local src_dport
+ local src_mac
+ local dest_ip
+ local dest_port
+ local protocol
+
+ config_get src $1 src
+ config_get src_ip $1 src_ip
+ config_get src_port $1 src_port
+ config_get src_dport $1 src_dport
+ config_get src_mac $1 src_mac
+ config_get dest_ip $1 dest_ip
+ config_get dest_port $1 dest_port
+ config_get protocol $1 protocol
+ [ -z "$src" -o -z "$dest_ip" ] && { \
+ echo "redirect needs src and dest_ip"; return ; }
+ $IPTABLES -A zone_${src}_prerouting -t nat \
+ ${protocol:+-p $protocol} \
+ ${src_ip:+-s $srcdip} \
+ ${src_port:+--sport $src_port} \
+ ${src_dport:+--dport $src_dport} \
+ ${src_mac:+-m mac --mac-source $src_mac} \
+ -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port}
+ $IPTABLES -I zone_${src}_forward 1 \
+ ${protocol:+-p $protocol} \
+ -d $dest_ip \
+ ${src_ip:+-s $srcdip} \
+ ${src_port:+--sport $src_port} \
+ ${dest_port:+--dport $dest_port} \
+ ${src_mac:+-m mac --mac-source $src_mac} \
+ -j ACCEPT
+}
+
+fw_include() {
+ local path
+ config_get path $1 path
+ [ -e $path ] && . $path
+}
+
+fw_addif() {
+ local up
+ local ifname
+ config_get up $1 up
+ config_get ifname $1 ifname
+ [ -n "$up" ] || return 0
+ (ACTION="ifup" INTERFACE="$1" . /etc/hotplug.d/iface/20-firewall)
+}
+
+fw_init() {
+ echo "Loading defaults"
+ config_foreach fw_defaults defaults
+ echo "Loading zones"
+ config_foreach fw_zone zone
+ echo "Loading interfaces"
+ config_foreach create_network_zone interface
+ echo "Loading rules"
+ config_foreach fw_rule rule
+ echo "Loading forwarding"
+ config_foreach fw_forwarding forwarding
+ echo "Loading redirects"
+ config_foreach fw_redirect redirect
+ echo "Loading includes"
+ config_foreach fw_include include
+
+ uci_set_state firewall core "" firewall_state
+ uci_set_state firewall core loaded 1
+ unset CONFIG_APPEND
+ config_load network
+ config_foreach fw_addif interface
+}
+
+fw_stop() {
+ $IPTABLES -F
+ $IPTABLES -t nat -F
+ $IPTABLES -t mangle -F
+ $IPTABLES -X -t nat
+ $IPTABLES -X
+ $IPTABLES -P INPUT ACCEPT
+ $IPTABLES -P OUTPUT ACCEPT
+ $IPTABLES -P FORWARD ACCEPT
+}
diff --git a/package/firewall/files/old/firewall.awk b/package/firewall/files/old/firewall.awk
new file mode 100644
index 0000000..31dbae0
--- /dev/null
+++ b/package/firewall/files/old/firewall.awk
@@ -0,0 +1,50 @@
+# Copyright (C) 2006 OpenWrt.org
+
+BEGIN {
+ FS=":"
+}
+
+($1 == "accept") || ($1 == "drop") || ($1 == "forward") {
+ delete _opt
+ str2data($2)
+ if ((_l["proto"] == "") && (_l["sport"] _l["dport"] != "")) {
+ _opt[0] = " -p tcp"
+ _opt[1] = " -p udp"
+ } else {
+ _opt[0] = ""
+ }
+}
+
+($1 == "accept") {
+ target = " -j ACCEPT"
+ for (o in _opt) {
+ print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) target
+ print "iptables -A input_wan " _opt[o] str2ipt($2) target
+ print ""
+ }
+}
+
+($1 == "drop") {
+ for (o in _opt) {
+ print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) " -j DROP"
+ print ""
+ }
+}
+
+($1 == "forward") {
+ target = " -j DNAT --to " $3
+ fwopts = ""
+ if ($4 != "") {
+ if ((_l["proto"] == "tcp") || (_l["proto"] == "udp") || (_l["proto"] == "")) {
+ if (_l["proto"] != "") fwopts = " -p " _l["proto"]
+ fwopts = fwopts " --dport " $4
+ target = target ":" $4
+ }
+ else fwopts = ""
+ }
+ for (o in _opt) {
+ print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) target
+ print "iptables -A forwarding_wan " _opt[o] " -d " $3 fwopts " -j ACCEPT"
+ print ""
+ }
+}
diff --git a/package/firewall/files/old/firewall.config b/package/firewall/files/old/firewall.config
new file mode 100644
index 0000000..1b92954
--- /dev/null
+++ b/package/firewall/files/old/firewall.config
@@ -0,0 +1,48 @@
+# Copyright (C) 2006 OpenWrt.org
+
+# RULE SYNTAX:
+#
+# forward:<match>:<target>[:<port>]
+# - forwards all packets matched by <match> to <target>,
+# optionally changing the port to <port>
+#
+# accept:<match>
+# - accepts all traffic matched by <match>
+#
+# drop:<match>
+# - drops all traffic matched by <match>
+#
+#
+# MATCHING OPTIONS:
+#
+# src=<ip>
+# - match the source ip <ip>
+#
+# dest=<ip>
+# - match the destination ip <ip>
+#
+# proto=<proto>
+# - match the protocol by name or number
+#
+# sport=<port(s)>
+# - match the source port(s), see below for syntax
+#
+# dport=<port(s)>
+# - match the destination port(s), see below for syntax
+#
+#
+#
+# PORT SYNTAX:
+#
+# You can enter an arbitrary list of ports and port ranges in the following format:
+# - 22,53,993,1000-1024
+#
+# If you don't set the protocol to tcp or udp, it will apply to both
+#
+#
+#
+# EXAMPLES:
+#
+# drop:dport=22 src=1.3.3.7
+# accept:proto=tcp dport=22
+# forward:dport=60168:192.168.1.2:60169
diff --git a/package/firewall/files/old/firewall.init b/package/firewall/files/old/firewall.init
new file mode 100755
index 0000000..0da97f8
--- /dev/null
+++ b/package/firewall/files/old/firewall.init
@@ -0,0 +1,142 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006 OpenWrt.org
+
+## Please make changes in /etc/firewall.user
+START=45
+start() {
+ include /lib/network
+ scan_interfaces
+
+ config_get WAN wan ifname
+ config_get WANDEV wan device
+ config_get LAN lan ifname
+ config_get_bool NAT_LAN lan nat 1
+ if [ $NAT_LAN -ne 0 ]
+ then
+ config_get LAN_MASK lan netmask
+ config_get LAN_IP lan ipaddr
+ LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2)
+ fi
+
+ ## CLEAR TABLES
+ for T in filter nat; do
+ iptables -t $T -F
+ iptables -t $T -X
+ done
+
+ iptables -N input_rule
+ iptables -N input_wan
+ iptables -N output_rule
+ iptables -N forwarding_rule
+ iptables -N forwarding_wan
+
+ iptables -t nat -N NEW
+ iptables -t nat -N prerouting_rule
+ iptables -t nat -N prerouting_wan
+ iptables -t nat -N postrouting_rule
+
+ iptables -N LAN_ACCEPT
+ [ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
+ [ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
+ iptables -A LAN_ACCEPT -j ACCEPT
+
+ ### INPUT
+ ### (connections with the router as destination)
+
+ # base case
+ iptables -P INPUT DROP
+ iptables -A INPUT -m state --state INVALID -j DROP
+ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+ iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
+
+ #
+ # insert accept rule or to jump to new accept-check table here
+ #
+ iptables -A INPUT -j input_rule
+ [ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
+
+ # allow
+ iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
+ iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
+ iptables -A INPUT -p gre -j ACCEPT # allow GRE
+
+ # reject (what to do with anything not allowed earlier)
+ iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
+ iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
+
+ ### OUTPUT
+ ### (connections with the router as source)
+
+ # base case
+ iptables -P OUTPUT DROP
+ iptables -A OUTPUT -m state --state INVALID -j DROP
+ iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+ #
+ # insert accept rule or to jump to new accept-check table here
+ #
+ iptables -A OUTPUT -j output_rule
+
+ # allow
+ iptables -A OUTPUT -j ACCEPT #allow everything out
+
+ # reject (what to do with anything not allowed earlier)
+ iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
+ iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
+
+ ### FORWARDING
+ ### (connections routed through the router)
+
+ # base case
+ iptables -P FORWARD DROP
+ iptables -A FORWARD -m state --state INVALID -j DROP
+ iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+ #
+ # insert accept rule or to jump to new accept-check table here
+ #
+ iptables -A FORWARD -j forwarding_rule
+ [ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
+
+ # allow
+ iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
+ [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
+
+ # reject (what to do with anything not allowed earlier)
+ # uses the default -P DROP
+
+ ### MASQ
+ iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW
+ iptables -t nat -A PREROUTING -j prerouting_rule
+ [ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
+ iptables -t nat -A POSTROUTING -j postrouting_rule
+ ### Only LAN, unless told not to
+ if [ $NAT_LAN -ne 0 ]
+ then
+ [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE
+ fi
+
+ iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
+ iptables -t nat -A NEW -j DROP
+
+ ## USER RULES
+ [ -f /etc/firewall.user ] && . /etc/firewall.user
+ [ -n "$WAN" -a -e /etc/firewall.config ] && {
+ export WAN
+ awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/firewall.config | ash
+ }
+}
+
+stop() {
+ iptables -P INPUT ACCEPT
+ iptables -P OUTPUT ACCEPT
+ iptables -P FORWARD ACCEPT
+ iptables -F
+ iptables -X
+ iptables -t nat -P PREROUTING ACCEPT
+ iptables -t nat -P POSTROUTING ACCEPT
+ iptables -t nat -P OUTPUT ACCEPT
+ iptables -t nat -F
+ iptables -t nat -X
+}
diff --git a/package/firewall/files/old/firewall.user b/package/firewall/files/old/firewall.user
new file mode 100644
index 0000000..f4eb18e
--- /dev/null
+++ b/package/firewall/files/old/firewall.user
@@ -0,0 +1,30 @@
+#!/bin/sh
+# Copyright (C) 2006 OpenWrt.org
+
+iptables -F input_rule
+iptables -F output_rule
+iptables -F forwarding_rule
+iptables -t nat -F prerouting_rule
+iptables -t nat -F postrouting_rule
+
+# The following chains are for traffic directed at the IP of the
+# WAN interface
+
+iptables -F input_wan
+iptables -F forwarding_wan
+iptables -t nat -F prerouting_wan
+
+### Open port to WAN
+## -- This allows port 22 to be answered by (dropbear on) the router
+# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
+# iptables -A input_wan -p tcp --dport 22 -j ACCEPT
+
+### Port forwarding
+## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
+# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
+# iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
+
+### DMZ
+## -- Connections to ports not handled above will be forwarded to 192.168.1.2
+# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
+# iptables -A forwarding_wan -d 192.168.1.2 -j ACCEPT