finally move buildroot-ng to trunk

[lede.git] / package / iptables / files / firewall.init

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

## Please make changes in /etc/firewall.user

start() {
        include /lib/network
        scan_interfaces
        
        config_get WAN wan ifname
        config_get LAN lan ifname
        
        ## CLEAR TABLES
        for T in filter nat; do
                iptables -t $T -F
                iptables -t $T -X
        done
        
        iptables -N input_rule
        iptables -N output_rule
        iptables -N forwarding_rule
        
        iptables -t nat -N prerouting_rule
        iptables -t nat -N postrouting_rule
        
        iptables -N LAN_ACCEPT
        [ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
        iptables -A LAN_ACCEPT -j ACCEPT
        
        ### INPUT
        ###  (connections with the router as destination)
        
        # base case
        iptables -P INPUT DROP
        iptables -A INPUT -m state --state INVALID -j DROP
        iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP
        
        #
        # insert accept rule or to jump to new accept-check table here
        #
        iptables -A INPUT -j input_rule
        
        # allow
        iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces 
        iptables -A INPUT -p icmp       -j ACCEPT       # allow ICMP
        iptables -A INPUT -p gre        -j ACCEPT       # allow GRE
        
        # reject (what to do with anything not allowed earlier)
        iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
        iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
        
        ### OUTPUT
        ### (connections with the router as source)
        
        # base case
        iptables -P OUTPUT DROP
        iptables -A OUTPUT -m state --state INVALID -j DROP
        iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        
        #
        # insert accept rule or to jump to new accept-check table here
        #
        iptables -A OUTPUT -j output_rule
        
        # allow
        iptables -A OUTPUT -j ACCEPT            #allow everything out
        
        # reject (what to do with anything not allowed earlier)
        iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
        iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
        
        ### FORWARDING
        ### (connections routed through the router)
        
        # base case
        iptables -P FORWARD DROP 
        iptables -A FORWARD -m state --state INVALID -j DROP
        iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
        iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
        
        #
        # insert accept rule or to jump to new accept-check table here
        #
        iptables -A FORWARD -j forwarding_rule
        
        # allow
        iptables -A FORWARD -i br0 -o br0 -j ACCEPT
        [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
        
        # reject (what to do with anything not allowed earlier)
        # uses the default -P DROP
        
        ### MASQ
        iptables -t nat -A PREROUTING -j prerouting_rule
        iptables -t nat -A POSTROUTING -j postrouting_rule
        [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
        
        ## USER RULES
        [ -f /etc/firewall.user ] && . /etc/firewall.user
        [ -n "$WAN" -a -e /etc/config/firewall ] && {
                awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
        }
}

stop() {
        iptables -P INPUT ACCEPT
        iptables -P OUTPUT ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -F
        iptables -t nat -P PREROUTING ACCEPT
        iptables -t nat -P POSTROUTING ACCEPT
        iptables -t nat -P OUTPUT ACCEPT
        iptables -t nat -F
}