diff options
Diffstat (limited to 'package/network/config/firewall/files/.svn/text-base')
6 files changed, 418 insertions, 0 deletions
diff --git a/package/network/config/firewall/files/.svn/text-base/firewall.config.svn-base b/package/network/config/firewall/files/.svn/text-base/firewall.config.svn-base new file mode 100644 index 0000000..6acfe1e --- /dev/null +++ b/package/network/config/firewall/files/.svn/text-base/firewall.config.svn-base @@ -0,0 +1,195 @@ +config defaults + option syn_flood 1 + option input ACCEPT + option output ACCEPT + option forward REJECT +# Uncomment this line to disable ipv6 rules +# option disable_ipv6 1 + +config zone + option name lan + option network 'lan' + option input ACCEPT + option output ACCEPT + option forward REJECT + +config zone + option name wan + option network 'wan' + option input REJECT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 + +config forwarding + option src lan + option dest wan + +# We need to accept udp packets on port 68, +# see https://dev.openwrt.org/ticket/4108 +config rule + option name Allow-DHCP-Renew + option src wan + option proto udp + option dest_port 68 + option target ACCEPT + option family ipv4 + +# Allow IPv4 ping +config rule + option name Allow-Ping + option src wan + option proto icmp + option icmp_type echo-request + option family ipv4 + option target ACCEPT + +# Allow DHCPv6 replies +# see https://dev.openwrt.org/ticket/10381 +config rule + option name Allow-DHCPv6 + option src wan + option proto udp + option src_ip fe80::/10 + option src_port 547 + option dest_ip fe80::/10 + option dest_port 546 + option family ipv6 + option target ACCEPT + +# Allow essential incoming IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Input + option src wan + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + list icmp_type router-solicitation + list icmp_type neighbour-solicitation + list icmp_type router-advertisement + list icmp_type neighbour-advertisement + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Allow essential forwarded IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Forward + option src wan + option dest * + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Block ULA-traffic from leaking out +config rule + option name Enforce-ULA-Border-Src + option src * + option dest wan + option proto all + option src_ip fc00::/7 + option family ipv6 + option target REJECT + +config rule + option name Enforce-ULA-Border-Dest + option src * + option dest wan + option proto all + option dest_ip fc00::/7 + option family ipv6 + option target REJECT + +# include a file with users custom iptables rules +config include + option path /etc/firewall.user + + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option proto tcp + +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp + +# allow IPsec/ESP and ISAKMP passthrough +#config rule +# option src wan +# option dest lan +# option protocol esp +# option target ACCEPT + +#config rule +# option src wan +# option dest lan +# option src_port 500 +# option dest_port 500 +# option proto udp +# option target ACCEPT + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp diff --git a/package/network/config/firewall/files/.svn/text-base/firewall.hotplug.svn-base b/package/network/config/firewall/files/.svn/text-base/firewall.hotplug.svn-base new file mode 100644 index 0000000..52e7798 --- /dev/null +++ b/package/network/config/firewall/files/.svn/text-base/firewall.hotplug.svn-base @@ -0,0 +1,22 @@ +#!/bin/sh +# This script is executed as part of the hotplug event with +# HOTPLUG_TYPE=iface, triggered by various scripts when an interface +# is configured (ACTION=ifup) or deconfigured (ACTION=ifdown). The +# interface is available as INTERFACE, the real device as DEVICE. + +[ "$DEVICE" == "lo" ] && exit 0 + +. /lib/functions.sh +. /lib/firewall/core.sh + +fw_init +fw_is_loaded || exit 0 + +case "$ACTION" in + ifup) + fw_configure_interface "$INTERFACE" add "$DEVICE" & + ;; + ifdown) + fw_configure_interface "$INTERFACE" del "$DEVICE" + ;; +esac diff --git a/package/network/config/firewall/files/.svn/text-base/firewall.init.svn-base b/package/network/config/firewall/files/.svn/text-base/firewall.init.svn-base new file mode 100644 index 0000000..a2fd0a0 --- /dev/null +++ b/package/network/config/firewall/files/.svn/text-base/firewall.init.svn-base @@ -0,0 +1,27 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2008-2010 OpenWrt.org + +START=45 + +FW_LIBDIR=/lib/firewall + +fw() { + . $FW_LIBDIR/core.sh + fw_$1 +} + +start() { + fw start +} + +stop() { + fw stop +} + +restart() { + fw restart +} + +reload() { + fw reload +} diff --git a/package/network/config/firewall/files/.svn/text-base/firewall.upgrade.svn-base b/package/network/config/firewall/files/.svn/text-base/firewall.upgrade.svn-base new file mode 100644 index 0000000..64f63eb --- /dev/null +++ b/package/network/config/firewall/files/.svn/text-base/firewall.upgrade.svn-base @@ -0,0 +1 @@ +/etc/firewall.user diff --git a/package/network/config/firewall/files/.svn/text-base/firewall.user.svn-base b/package/network/config/firewall/files/.svn/text-base/firewall.user.svn-base new file mode 100644 index 0000000..1ccbd01 --- /dev/null +++ b/package/network/config/firewall/files/.svn/text-base/firewall.user.svn-base @@ -0,0 +1,4 @@ +# This file is interpreted as shell script. +# Put your custom iptables rules here, they will +# be executed with each firewall (re-)start. + diff --git a/package/network/config/firewall/files/.svn/text-base/reflection.hotplug.svn-base b/package/network/config/firewall/files/.svn/text-base/reflection.hotplug.svn-base new file mode 100644 index 0000000..129a922 --- /dev/null +++ b/package/network/config/firewall/files/.svn/text-base/reflection.hotplug.svn-base @@ -0,0 +1,169 @@ +#!/bin/sh + +. /lib/functions.sh +. /lib/functions/network.sh + +if [ "$ACTION" = "remove" ]; then + + delete_rules_by_comment() { + local table="$1" + local chain="$2" + local comment="$3" + + iptables -t "$table" --line-numbers -nL "$chain" 2>/dev/null | \ + sed -e ' + 1d; + 1! { + \#^[0-9]\+ .* /\* '"$comment"' \*/.*$# { + s/ .*$//; + G; h; + } + }; + $!d; + ' | xargs -n1 iptables -t "$table" -D "$chain" 2>/dev/null + } + + delete_rules_by_comment nat nat_reflection_in "$INTERFACE" + delete_rules_by_comment nat nat_reflection_out "$INTERFACE" + delete_rules_by_comment filter nat_reflection_fwd "$INTERFACE" + +elif [ "$ACTION" = "add" ]; then + + prepare_chains() { + iptables -t nat -N nat_reflection_in 2>/dev/null && { + iptables -t nat -A prerouting_rule -j nat_reflection_in + } + + iptables -t nat -N nat_reflection_out 2>/dev/null && { + iptables -t nat -A postrouting_rule -j nat_reflection_out + } + + iptables -t filter -N nat_reflection_fwd 2>/dev/null && { + iptables -t filter -A forwarding_rule -j nat_reflection_fwd + } + } + + find_networks() { + find_networks_cb() { + local cfg="$1" + local zone="$2" + local need_masq="${3:-0}" + + local name + config_get name "$cfg" name + + local masq + config_get_bool masq "$cfg" masq 0 + + [ "$name" = "$zone" ] && [ "$masq" -ge "$need_masq" ] && { + local network + config_get network "$cfg" network + + echo ${network:-$zone} + return 1 + } + } + + config_foreach find_networks_cb zone "$@" + } + + setup_fwd() { + local cfg="$1" + + local reflection + config_get_bool reflection "$cfg" reflection 1 + [ "$reflection" == 1 ] || return + + local src + config_get src "$cfg" src + [ "$src" == "$ZONE" ] || return + + local dest + config_get dest "$cfg" dest + [ "$dest" != "*" ] || return + + local target + config_get target "$cfg" target DNAT + [ "$target" = DNAT ] || return + + prepare_chains + + local net + for net in $(find_networks "$dest" 0); do + local intnet + network_get_subnet intnet "$net" || continue + + local proto + config_get proto "$cfg" proto + + local epmin epmax extport + config_get extport "$cfg" src_dport "1-65535" + [ -n "$extport" ] || return + + epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" + [ "${epmin#!}" != "$epmax" ] || epmax="" + + local ipmin ipmax intport + config_get intport "$cfg" dest_port "$extport" + + ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" + [ "${ipmin#!}" != "$ipmax" ] || ipmax="" + + local exthost + config_get exthost "$cfg" src_dip "$extip" + + local inthost + config_get inthost "$cfg" dest_ip + [ -n "$inthost" ] || return + + [ "$proto" = all ] && proto="tcp udp" + [ "$proto" = tcpudp ] && proto="tcp udp" + + [ "${inthost#!}" = "$inthost" ] || return 0 + [ "${exthost#!}" = "$exthost" ] || return 0 + + [ "${epmin#!}" != "$epmin" ] && \ + extport="! --dport ${epmin#!}${epmax:+:$epmax}" || \ + extport="--dport $epmin${epmax:+:$epmax}" + + [ "${ipmin#!}" != "$ipmin" ] && \ + intport="! --dport ${ipmin#!}${ipmax:+:$ipmax}" || \ + intport="--dport $ipmin${ipmax:+:$ipmax}" + + local p + for p in ${proto:-tcp udp}; do + case "$p" in + tcp|udp|6|17) + iptables -t nat -A nat_reflection_in \ + -s $intnet -d $exthost \ + -p $p $extport \ + -m comment --comment "$INTERFACE" \ + -j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax} + + iptables -t nat -A nat_reflection_out \ + -s $intnet -d $inthost \ + -p $p $intport \ + -m comment --comment "$INTERFACE" \ + -j SNAT --to-source ${intnet%%/*} + + iptables -t filter -A nat_reflection_fwd \ + -s $intnet -d $inthost \ + -p $p $intport \ + -m comment --comment "$INTERFACE" \ + -j ACCEPT + ;; + esac + done + done + } + + config_load firewall + + local is_masq_zone="$(find_networks "$ZONE" 1)" + [ -n "$is_masq_zone" ] || exit 0 + + local extip + network_get_ipaddr extip "$INTERFACE" || exit 0 + + config_foreach setup_fwd redirect +fi |