API tools faq
paste
Advertisement
Guest User

openwrt iptables

a guest
Jan 31st, 2016
72
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.25 KB | None | 0 0
raw download clone embed print report
  1. # Generated by iptables-save v1.4.21 on Sun Jan 31 15:31:10 2016
  2. *nat
  3. :PREROUTING ACCEPT [569:59885]
  4. :INPUT ACCEPT [578:39478]
  5. :OUTPUT ACCEPT [510:36499]
  6. :POSTROUTING ACCEPT [91:7244]
  7. :SS_SPEC_WAN_AC - [0:0]
  8. :SS_SPEC_WAN_FW - [0:0]
  9. :delegate_postrouting - [0:0]
  10. :delegate_prerouting - [0:0]
  11. :postrouting_lan_rule - [0:0]
  12. :postrouting_rule - [0:0]
  13. :postrouting_wan_rule - [0:0]
  14. :prerouting_lan_rule - [0:0]
  15. :prerouting_rule - [0:0]
  16. :prerouting_wan_rule - [0:0]
  17. :zone_lan_postrouting - [0:0]
  18. :zone_lan_prerouting - [0:0]
  19. :zone_wan_postrouting - [0:0]
  20. :zone_wan_prerouting - [0:0]
  21. -A PREROUTING -i br-lan -p tcp -m comment --comment _SS_SPEC_RULE_ -j SS_SPEC_WAN_AC
  22. -A PREROUTING -j delegate_prerouting
  23. -A OUTPUT -p tcp -m comment --comment _SS_SPEC_RULE_ -j SS_SPEC_WAN_AC
  24. -A POSTROUTING -j delegate_postrouting
  25. -A SS_SPEC_WAN_AC -m set --match-set ss_spec_wan_ac dst -j RETURN
  26. -A SS_SPEC_WAN_AC -j SS_SPEC_WAN_FW
  27. -A SS_SPEC_WAN_FW -p tcp -j REDIRECT --to-ports 1080
  28. -A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
  29. -A delegate_postrouting -o br-lan -j zone_lan_postrouting
  30. -A delegate_postrouting -o eth0 -j zone_wan_postrouting
  31. -A delegate_postrouting -o wlan0 -j zone_wan_postrouting
  32. -A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
  33. -A delegate_prerouting -i br-lan -j zone_lan_prerouting
  34. -A delegate_prerouting -i eth0 -j zone_wan_prerouting
  35. -A delegate_prerouting -i wlan0 -j zone_wan_prerouting
  36. -A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
  37. -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
  38. -A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
  39. -A zone_wan_postrouting -j MASQUERADE
  40. -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
  41. COMMIT
  42. # Completed on Sun Jan 31 15:31:10 2016
  43. # Generated by iptables-save v1.4.21 on Sun Jan 31 15:31:10 2016
  44. *raw
  45. :PREROUTING ACCEPT [10235:2719708]
  46. :OUTPUT ACCEPT [9578:3316689]
  47. :delegate_notrack - [0:0]
  48. -A PREROUTING -j delegate_notrack
  49. COMMIT
  50. # Completed on Sun Jan 31 15:31:10 2016
  51. # Generated by iptables-save v1.4.21 on Sun Jan 31 15:31:10 2016
  52. *mangle
  53. :PREROUTING ACCEPT [9897:2692995]
  54. :INPUT ACCEPT [8597:2120404]
  55. :FORWARD ACCEPT [1532:576239]
  56. :OUTPUT ACCEPT [9578:3316689]
  57. :POSTROUTING ACCEPT [11110:3892928]
  58. :SS_SPEC_TPROXY - [0:0]
  59. :fwmark - [0:0]
  60. :mssfix - [0:0]
  61. -A PREROUTING -i br-lan -p udp -m comment --comment _SS_SPEC_RULE_ -j SS_SPEC_TPROXY
  62. -A PREROUTING -j fwmark
  63. -A FORWARD -j mssfix
  64. -A SS_SPEC_TPROXY -p udp -m set ! --match-set ss_spec_wan_ac dst -j TPROXY --on-port 1080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
  65. -A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
  66. -A mssfix -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
  67. COMMIT
  68. # Completed on Sun Jan 31 15:31:10 2016
  69. # Generated by iptables-save v1.4.21 on Sun Jan 31 15:31:10 2016
  70. *filter
  71. :INPUT ACCEPT [0:0]
  72. :FORWARD DROP [0:0]
  73. :OUTPUT ACCEPT [0:0]
  74. :delegate_forward - [0:0]
  75. :delegate_input - [0:0]
  76. :delegate_output - [0:0]
  77. :forwarding_lan_rule - [0:0]
  78. :forwarding_rule - [0:0]
  79. :forwarding_wan_rule - [0:0]
  80. :input_lan_rule - [0:0]
  81. :input_rule - [0:0]
  82. :input_wan_rule - [0:0]
  83. :output_lan_rule - [0:0]
  84. :output_rule - [0:0]
  85. :output_wan_rule - [0:0]
  86. :reject - [0:0]
  87. :syn_flood - [0:0]
  88. :zone_lan_dest_ACCEPT - [0:0]
  89. :zone_lan_forward - [0:0]
  90. :zone_lan_input - [0:0]
  91. :zone_lan_output - [0:0]
  92. :zone_lan_src_ACCEPT - [0:0]
  93. :zone_wan_dest_ACCEPT - [0:0]
  94. :zone_wan_dest_REJECT - [0:0]
  95. :zone_wan_forward - [0:0]
  96. :zone_wan_input - [0:0]
  97. :zone_wan_output - [0:0]
  98. :zone_wan_src_REJECT - [0:0]
  99. -A INPUT -j delegate_input
  100. -A FORWARD -j delegate_forward
  101. -A OUTPUT -j delegate_output
  102. -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
  103. -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  104. -A delegate_forward -i br-lan -j zone_lan_forward
  105. -A delegate_forward -i eth0 -j zone_wan_forward
  106. -A delegate_forward -i wlan0 -j zone_wan_forward
  107. -A delegate_forward -j reject
  108. -A delegate_input -i lo -j ACCEPT
  109. -A delegate_input -m comment --comment "user chain for input" -j input_rule
  110. -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  111. -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
  112. -A delegate_input -i br-lan -j zone_lan_input
  113. -A delegate_input -i eth0 -j zone_wan_input
  114. -A delegate_input -i wlan0 -j zone_wan_input
  115. -A delegate_output -o lo -j ACCEPT
  116. -A delegate_output -m comment --comment "user chain for output" -j output_rule
  117. -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  118. -A delegate_output -o br-lan -j zone_lan_output
  119. -A delegate_output -o eth0 -j zone_wan_output
  120. -A delegate_output -o wlan0 -j zone_wan_output
  121. -A reject -p tcp -j REJECT --reject-with tcp-reset
  122. -A reject -j REJECT --reject-with icmp-port-unreachable
  123. -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
  124. -A syn_flood -j DROP
  125. -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
  126. -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
  127. -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
  128. -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
  129. -A zone_lan_forward -j zone_lan_dest_ACCEPT
  130. -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
  131. -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
  132. -A zone_lan_input -j zone_lan_src_ACCEPT
  133. -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
  134. -A zone_lan_output -j zone_lan_dest_ACCEPT
  135. -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
  136. -A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
  137. -A zone_wan_dest_ACCEPT -o wlan0 -j ACCEPT
  138. -A zone_wan_dest_REJECT -o eth0 -j reject
  139. -A zone_wan_dest_REJECT -o wlan0 -j reject
  140. -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
  141. -A zone_wan_forward -p esp -m comment --comment "@rule[7]" -j zone_lan_dest_ACCEPT
  142. -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "@rule[8]" -j zone_lan_dest_ACCEPT
  143. -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
  144. -A zone_wan_forward -j zone_wan_dest_REJECT
  145. -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
  146. -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
  147. -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
  148. -A zone_wan_input -p igmp -m comment --comment Allow-IGMP -j ACCEPT
  149. -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
  150. -A zone_wan_input -j zone_wan_src_REJECT
  151. -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
  152. -A zone_wan_output -j zone_wan_dest_ACCEPT
  153. -A zone_wan_src_REJECT -i eth0 -j reject
  154. -A zone_wan_src_REJECT -i wlan0 -j reject
  155. COMMIT
  156. # Completed on Sun Jan 31 15:31:10 2016
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!