/etc/config/network

1. config defaults
2. option syn_flood 1
3. option input ACCEPT
4. option output ACCEPT
5. option forward REJECT
6. # Uncomment this line to disable ipv6 rules
7. # option disable_ipv6 1
8.  
9.  
10. ### FF Freifunk
11. config zone
12. option name 'KBU'
13. option input 'ACCEPT'
14. option output 'ACCEPT'
15. option network 'KBU'
16. option forward 'ACCEPT'
17.  
18. config forwarding
19. option dest 'wan'
20. option src 'KBU'
21.  
22. config defaults
23. option syn_flood '1'
24. option input 'ACCEPT'
25. option output 'ACCEPT'
26. option forward 'REJECT' # <- das ist entscheidend
27. option drop_invalid '1'
28.  
29. #### FF ENDE
30.  
31.  
32. config zone
33. option name lan
34. list network 'lan'
35. option input ACCEPT
36. option output ACCEPT
37. option forward ACCEPT
38.  
39. config zone
40. option name wan
41. list network 'wan'
42. list network 'wan6'
43. option input REJECT
44. option output ACCEPT
45. option forward REJECT
46. option masq 1
47. option mtu_fix 1
48.  
49. config forwarding
50. option src lan
51. option dest wan
52.  
53. # We need to accept udp packets on port 68,
54. # see https://dev.openwrt.org/ticket/4108
55. config rule
56. option name Allow-DHCP-Renew
57. option src wan
58. option proto udp
59. option dest_port 68
60. option target ACCEPT
61. option family ipv4
62.  
63. # Allow IPv4 ping
64. config rule
65. option name Allow-Ping
66. option src wan
67. option proto icmp
68. option icmp_type echo-request
69. option family ipv4
70. option target ACCEPT
71.  
72. config rule
73. option name Allow-IGMP
74. option src wan
75. option proto igmp
76. option family ipv4
77. option target ACCEPT
78.  
79. # Allow DHCPv6 replies
80. # see https://dev.openwrt.org/ticket/10381
81. config rule
82. option name Allow-DHCPv6
83. option src wan
84. option proto udp
85. option src_ip fe80::/10
86. option src_port 547
87. option dest_ip fe80::/10
88. option dest_port 546
89. option family ipv6
90. option target ACCEPT
91.  
92. config rule
93. option name Allow-MLD
94. option src wan
95. option proto icmp
96. option src_ip fe80::/10
97. list icmp_type '130/0'
98. list icmp_type '131/0'
99. list icmp_type '132/0'
100. list icmp_type '143/0'
101. option family ipv6
102. option target ACCEPT
103.  
104. # Allow essential incoming IPv6 ICMP traffic
105. config rule
106. option name Allow-ICMPv6-Input
107. option src wan
108. option proto icmp
109. list icmp_type echo-request
110. list icmp_type echo-reply
111. list icmp_type destination-unreachable
112. list icmp_type packet-too-big
113. list icmp_type time-exceeded
114. list icmp_type bad-header
115. list icmp_type unknown-header-type
116. list icmp_type router-solicitation
117. list icmp_type neighbour-solicitation
118. list icmp_type router-advertisement
119. list icmp_type neighbour-advertisement
120. option limit 1000/sec
121. option family ipv6
122. option target ACCEPT
123.  
124. # Allow essential forwarded IPv6 ICMP traffic
125. config rule
126. option name Allow-ICMPv6-Forward
127. option src wan
128. option dest *
129. option proto icmp
130. list icmp_type echo-request
131. list icmp_type echo-reply
132. list icmp_type destination-unreachable
133. list icmp_type packet-too-big
134. list icmp_type time-exceeded
135. list icmp_type bad-header
136. list icmp_type unknown-header-type
137. option limit 1000/sec
138. option family ipv6
139. option target ACCEPT
140.  
141. # include a file with users custom iptables rules
142. config include
143. option path /etc/firewall.user
144.  
145.  
146. ### EXAMPLE CONFIG SECTIONS
147. # do not allow a specific ip to access wan
148. #config rule
149. # option src lan
150. # option src_ip 192.168.45.2
151. # option dest wan
152. # option proto tcp
153. # option target REJECT
154.  
155. # block a specific mac on wan
156. #config rule
157. # option dest wan
158. # option src_mac 00:11:22:33:44:66
159. # option target REJECT
160.  
161. # block incoming ICMP traffic on a zone
162. #config rule
163. # option src lan
164. # option proto ICMP
165. # option target DROP
166.  
167. # port redirect port coming in on wan to lan
168. #config redirect
169. # option src wan
170. # option src_dport 80
171. # option dest lan
172. # option dest_ip 192.168.16.235
173. # option dest_port 80
174. # option proto tcp
175.  
176. # port redirect of remapped ssh port (22001) on wan
177. #config redirect
178. # option src wan
179. # option src_dport 22001
180. # option dest lan
181. # option dest_port 22
182. # option proto tcp
183.  
184. # allow IPsec/ESP and ISAKMP passthrough
185. config rule
186. option src wan
187. option dest lan
188. option proto esp
189. option target ACCEPT
190.  
191. config rule
192. option src wan
193. option dest lan
194. option dest_port 500
195. option proto udp
196. option target ACCEPT
197.  
198. ### FULL CONFIG SECTIONS
199. #config rule
200. # option src lan
201. # option src_ip 192.168.45.2
202. # option src_mac 00:11:22:33:44:55
203. # option src_port 80
204. # option dest wan
205. # option dest_ip 194.25.2.129
206. # option dest_port 120
207. # option proto tcp
208. # option target REJECT
209.  
210. #config redirect
211. # option src lan
212. # option src_ip 192.168.45.2
213. # option src_mac 00:11:22:33:44:55
214. # option src_port 1024
215. # option src_dport 80
216. # option dest_ip 194.25.2.129
217. # option dest_port 120
218. # option proto tcp