Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- config defaults
- option syn_flood 1
- option input ACCEPT
- option output ACCEPT
- option forward REJECT
- # Uncomment this line to disable ipv6 rules
- # option disable_ipv6 1
- config zone
- option name lan
- option network 'lan'
- option input ACCEPT
- option output ACCEPT
- option forward REJECT
- config zone
- option name wan
- option network 'wan'
- option input DROP
- option output ACCEPT
- option forward REJECT
- option masq 1
- option mtu_fix 1
- config forwarding
- option src lan
- option dest wan
- # We need to accept udp packets on port 68,
- # see https://dev.openwrt.org/ticket/4108
- config rule
- option src wan
- option proto udp
- option dest_port 68
- option target ACCEPT
- option family ipv4
- # Allow IPv4 ping
- config rule
- option src wan
- option proto icmp
- option icmp_type echo-request
- option family ipv4
- option target ACCEPT
- # Allow DHCPv6 replies
- # see https://dev.openwrt.org/ticket/10381
- config rule
- option src wan
- option proto udp
- option src_ip fe80::/10
- option src_port 547
- option dest_ip fe80::/10
- option dest_port 546
- option family ipv6
- option target ACCEPT
- # Allow essential incoming IPv6 ICMP traffic
- config rule
- option src wan
- option proto icmp
- list icmp_type echo-request
- list icmp_type destination-unreachable
- list icmp_type packet-too-big
- list icmp_type time-exceeded
- list icmp_type bad-header
- list icmp_type unknown-header-type
- list icmp_type router-solicitation
- list icmp_type neighbour-solicitation
- list icmp_type router-advertisement
- list icmp_type neighbour-advertisement
- option limit 1000/sec
- option family ipv6
- option target ACCEPT
- # Allow essential forwarded IPv6 ICMP traffic
- config rule
- option src wan
- option dest *
- option proto icmp
- list icmp_type echo-request
- list icmp_type destination-unreachable
- list icmp_type packet-too-big
- list icmp_type time-exceeded
- list icmp_type bad-header
- list icmp_type unknown-header-type
- option limit 1000/sec
- option family ipv6
- option target ACCEPT
- # Block ULA-traffic from leaking out
- config rule
- option name Enforce-ULA-Border-Src
- option src *
- option dest wan
- option proto all
- option src_ip fc00::/7
- option family ipv6
- option target REJECT
- config rule
- option name Enforce-ULA-Border-Dest
- option src *
- option dest wan
- option proto all
- option dest_ip fc00::/7
- option family ipv6
- option target REJECT
- # include a file with users custom iptables rules
- config include
- option path /etc/firewall.user
- config 'rule' 'transmission_web'
- option 'target' 'ACCEPT'
- option '_name' 'transmission_web'
- option 'src' 'wan'
- option 'proto' 'tcp'
- option 'dest_port' '9091'
- config 'rule'
- option 'target' 'ACCEPT'
- option '_name' 'ssh_WAN'
- option 'src' 'wan'
- option 'proto' 'tcp'
- option 'dest_ip' '192.168.1.1'
- option 'dest_port' '22'
- config 'rule'
- option 'target' 'ACCEPT'
- option '_name' 'ftp_WAN'
- option 'src' 'wan'
- option 'proto' 'tcp'
- option 'dest_ip' '192.168.1.1'
- option 'dest_port' '21'
- config 'rule'
- option 'target' 'ACCEPT'
- option '_name' 'Transmission'
- option 'src' 'wan'
- option 'proto' 'tcpudp'
- option 'dest_port' '21234'
- config 'rule'
- option 'target' 'ACCEPT'
- option '_name' 'Luci_HTTPS'
- option 'src' 'wan'
- option 'proto' 'tcp'
- option 'dest_port' '443'
- config rule
- option src 'lan'
- option name 'block_internet_access_IP'
- option src_ip '192.168.1.181'
- option target 'DROP'
- option dest 'wan'
- option extra '-m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart 10:00 --timestop 22:00'
- option enabled '0'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement