#!/bin/sh # Copyright (C) 2006 OpenWrt.org # $Id: firewall.user 69 2009-04-29 17:58:40Z weedy $ WAN="$(uci -P /var/state get network.wan.ifname)" LAN="$(uci -P /var/state get network.lan.ifname)" WANIP=$(ifconfig $WAN | grep 'inet addr' | awk '{print $2}' | cut -d':' -f 2) LANIP=$(ifconfig $LAN | grep 'inet addr' | awk '{print $2}' | cut -d':' -f 2) iptables -A input_rule -p esp -j ACCEPT # allow IPSEC iptables -A input_rule -p 17 --dport 500 -j ACCEPT # allow ISAKMP iptables -A input_rule -p udp --dport 4500 -j ACCEPT # allow NAT-T iptables -A forwarding_rule -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT iptables -A forwarding_rule -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT iptables -t nat -A postrouting_rule -d 10.0.0.0/8 -j ACCEPT iptables -t nat -A postrouting_rule -d 172.16.0.0/12 -j ACCEPT iptables -t nat -A postrouting_rule -d 192.168.0.0/16 -j ACCEPT #iptables -A output_rule -p 47 -j ACCEPT #iptables -A input_rule -p 47 -j ACCEPT #iptables -t nat -A prerouting_rule -p tcp --dport 8888 -j DNAT --to ${LANIP%.*}.251:80 #iptables -A forwarding_rule -p tcp --dport 80 -d $WANIP -j ACCEPT #iptables -t nat -A prerouting_rule -p tcp --dport 2222 -j DNAT --to $WANIP:22 #iptables -A forwarding_rule -p tcp --dport 22 -d $WANIP -j ACCEPT # iptables -t nat -A prerouting_rule -j DNAT --to ${LANIP%.*}.170 # iptables -A forwarding_rule -d ${LANIP%.*}.170 -j ACCEPT iptables -t nat -A prerouting_rule -i $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A prerouting_rule -p tcp --dport 2020 -m state --state NEW \ -m recent --name ATTACKER_SSH --rsource --update --seconds 120 --hitcount 5 -j DROP iptables -t nat -A prerouting_rule -p tcp --dport 2020 -m state --state NEW \ -m recent --name ATTACKER_SSH --rsource --set iptables -t nat -A prerouting_rule -p tcp --dport 2020 -j ACCEPT iptables -A input_rule -p tcp --dport 2020 -j ACCEPT #iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 81 -j DNAT --to-destination ${LANIP%.*}.251 #iptables -A forwarding_rule -i $WAN -p tcp --dport 81 -d ${LANIP%.*}.251 -j ACCEPT iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 2080 -j DNAT --to-destination ${LANIP%.*}.250 iptables -A forwarding_rule -i $WAN -p tcp --dport 2080 -d ${LANIP%.*}.250 -j ACCEPT # iptables -A forwarding_rule -p TCP -i $LAN -s ${LANIP%.*}.5 -j ACCEPT # iptables -A forwarding_rule -p UDP -i $LAN -s ${LANIP%.*}.5 -j ACCEPT iptables -A forwarding_rule -p TCP -i $LAN -s ${LANIP%.*}.247 -m multiport --dport 21,80,3128,2000 -j ACCEPT iptables -A forwarding_rule -p UDP -i $LAN -s ${LANIP%.*}.200 --dport 9999 -j ACCEPT # iptables -A forwarding_rule -p TCP -i $LAN -m iprange --src-range ${LANIP%.*}.11-${LANIP%.*}.254 -j ACCEPT iptables -A forwarding_rule -p TCP -i $LAN -m iprange --src-range ${LANIP%.*}.2-${LANIP%.*}.10 -m multiport --dport 21,22,53,80,443,1433,3128,3579,3580,8000,8765,9865 -j ACCEPT iptables -A forwarding_rule -p UDP -i $LAN -m iprange --src-range ${LANIP%.*}.2-${LANIP%.*}.10 -m multiport --dport 53 -j ACCEPT ### Blocking IP's so most popular instant messengers programs will not work if [ -f /etc/blockips.txt ]; then while read BLOCK_IPS JUNK; do # may not need JUNK, but it doesn't hurt iptables -I forwarding_rule -d $BLOCK_IPS -i $LAN -m iprange --src-range ${LANIP%.*}.2-${LANIP%.*}.10 -j DROP done < "/etc/blockips.txt" fi if [ -f /etc/mac.txt ]; then while read MAC JUNK; do # may not need JUNK, but it doesn't hurt iptables -A forwarding_rule -p TCP -i $LAN -m mac --mac-source $MAC -j ACCEPT iptables -A forwarding_rule -p UDP -i $LAN -m mac --mac-source $MAC -j ACCEPT done < "/etc/mac.txt" fi ### Drop all outbound ports by default iptables -A forwarding_rule -j DROP