config defaults option syn_flood 1 option input ACCEPT option output ACC

1. config defaults
2. option syn_flood 1
3. option input ACCEPT
4. option output ACCEPT
5. option forward REJECT
6. # Uncomment this line to disable ipv6 rules
7. # option disable_ipv6 1
8.  
9. config zone
10. option name lan
11. option network 'lan'
12. option input ACCEPT
13. option output ACCEPT
14. option forward REJECT
15.  
16. config zone
17. option name wan
18. option network 'wan'
19. option input DROP
20. option output ACCEPT
21. option forward REJECT
22. option masq 1
23. option mtu_fix 1
24.  
25. config forwarding
26. option src lan
27. option dest wan
28.  
29. # We need to accept udp packets on port 68,
30. # see https://dev.openwrt.org/ticket/4108
31. config rule
32. option src wan
33. option proto udp
34. option dest_port 68
35. option target ACCEPT
36. option family ipv4
37.  
38. # Allow IPv4 ping
39. config rule
40. option src wan
41. option proto icmp
42. option icmp_type echo-request
43. option family ipv4
44. option target ACCEPT
45.  
46. # Allow DHCPv6 replies
47. # see https://dev.openwrt.org/ticket/10381
48. config rule
49. option src wan
50. option proto udp
51. option src_ip fe80::/10
52. option src_port 547
53. option dest_ip fe80::/10
54. option dest_port 546
55. option family ipv6
56. option target ACCEPT
57.  
58. # Allow essential incoming IPv6 ICMP traffic
59. config rule
60. option src wan
61. option proto icmp
62. list icmp_type echo-request
63. list icmp_type destination-unreachable
64. list icmp_type packet-too-big
65. list icmp_type time-exceeded
66. list icmp_type bad-header
67. list icmp_type unknown-header-type
68. list icmp_type router-solicitation
69. list icmp_type neighbour-solicitation
70. list icmp_type router-advertisement
71. list icmp_type neighbour-advertisement
72. option limit 1000/sec
73. option family ipv6
74. option target ACCEPT
75.  
76. # Allow essential forwarded IPv6 ICMP traffic
77. config rule
78. option src wan
79. option dest *
80. option proto icmp
81. list icmp_type echo-request
82. list icmp_type destination-unreachable
83. list icmp_type packet-too-big
84. list icmp_type time-exceeded
85. list icmp_type bad-header
86. list icmp_type unknown-header-type
87. option limit 1000/sec
88. option family ipv6
89. option target ACCEPT
90.  
91. # Block ULA-traffic from leaking out
92. config rule
93. option name Enforce-ULA-Border-Src
94. option src *
95. option dest wan
96. option proto all
97. option src_ip fc00::/7
98. option family ipv6
99. option target REJECT
100.  
101. config rule
102. option name Enforce-ULA-Border-Dest
103. option src *
104. option dest wan
105. option proto all
106. option dest_ip fc00::/7
107. option family ipv6
108. option target REJECT
109.  
110. # include a file with users custom iptables rules
111. config include
112. option path /etc/firewall.user
113.  
114. config 'rule' 'transmission_web'
115. option 'target' 'ACCEPT'
116. option '_name' 'transmission_web'
117. option 'src' 'wan'
118. option 'proto' 'tcp'
119. option 'dest_port' '9091'
120.  
121. config 'rule'
122. option 'target' 'ACCEPT'
123. option '_name' 'ssh_WAN'
124. option 'src' 'wan'
125. option 'proto' 'tcp'
126. option 'dest_ip' '192.168.1.1'
127. option 'dest_port' '22'
128.  
129. config 'rule'
130. option 'target' 'ACCEPT'
131. option '_name' 'ftp_WAN'
132. option 'src' 'wan'
133. option 'proto' 'tcp'
134. option 'dest_ip' '192.168.1.1'
135. option 'dest_port' '21'
136.  
137. config 'rule'
138. option 'target' 'ACCEPT'
139. option '_name' 'Transmission'
140. option 'src' 'wan'
141. option 'proto' 'tcpudp'
142. option 'dest_port' '21234'
143.  
144. config 'rule'
145. option 'target' 'ACCEPT'
146. option '_name' 'Luci_HTTPS'
147. option 'src' 'wan'
148. option 'proto' 'tcp'
149. option 'dest_port' '443'
150.  
151. config rule
152. option src 'lan'
153. option name 'block_internet_access_IP'
154. option src_ip '192.168.1.181'
155. option target 'DROP'
156. option dest 'wan'
157. option extra '-m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 10:00 --timestop 22:00'
158. option enabled '0'