oss
/
openadk


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120
							#!/bin/sh
echo "configure /etc/firewall.conf first."
exit 1

### Interfaces
WAN=ppp0
LAN=br0
WLAN=wlan0

######################################################################
### Default ruleset
######################################################################

### Create chains
iptables -N input_rule
iptables -N forwarding_rule
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule

### Default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

### INPUT
###  (connections with the router as destination)

# base case
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP

# custom rules
iptables -A INPUT -j input_rule

# allow access from anything but WAN
iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT
# allow icmp messages
iptables -A INPUT -p icmp -j ACCEPT

# reject
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

### OUTPUT
###  (connections with the router as source)

# base case
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

### FORWARD
###  (connections routed through the router)

# base case
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# fix for broken ISPs blocking ICMP "fragmentation needed" packets
#iptables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# custom rules
iptables -A FORWARD -j forwarding_rule
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule

# allow LAN
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

### MASQUERADING
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

######################################################################
### Default ruleset end
######################################################################

###
### Connections to the router
###

# ssh
#iptables -A input_rule -i $WAN -p tcp -s <a.b.c.d> --dport 22 -j ACCEPT

# IPSec
#iptables -A input_rule -i $WAN -p esp -s <a.b.c.d> -j ACCEPT
#iptables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 500 -j ACCEPT

# OpenVPN
#iptables -A input_rule -i $WAN -p udp -s <a.b.c.d> --dport 1194 -j ACCEPT

# PPTP
#iptables -A input_rule -i $WAN -p gre -j ACCEPT
#iptables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT

###
###  VPN traffic
###

# IPSec
#iptables -A forwarding_rule -o ipsec+ -j ACCEPT
#iptables -A forwarding_rule -i ipsec+ -j ACCEPT

# OpenVPN
#iptables -A forwarding_rule -o tun+ -j ACCEPT
#iptables -A forwarding_rule -i tun+ -j ACCEPT

###
### Port forwardings to LAN
###

#iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 3389 -j DNAT --to 192.168.1.10
#iptables -A forwarding_rule -i $WAN -p tcp --dport 3389 -d 192.168.1.10 -j ACCEPT

# Transparent Bridging Proxy
#ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
#        --ip-destination-port 80 -j redirect --redirect-target ACCEPT
#iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \
#        -j REDIRECT --to-port 8080