Advertisement
Guest User

openwrt

a guest
Jul 28th, 2021
68
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 29.77 KB | None | 0 0
  1. root@OpenWrt:/share# ip address show; ip route show table all; ip rule show; iptables-save -c; \
  2. > wg show; uci show network; uci show firewall; uci show dhcp; \
  3. > head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  4. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  5.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  6.     inet 127.0.0.1/8 scope host lo
  7.        valid_lft forever preferred_lft forever
  8.     inet6 ::1/128 scope host
  9.        valid_lft forever preferred_lft forever
  10. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP group default qlen 1024
  11.     link/ether 94:83:c4:0a:44:5c brd ff:ff:ff:ff:ff:ff
  12.     inet6 fe80::9683:c4ff:fe0a:445c/64 scope link
  13.        valid_lft forever preferred_lft forever
  14. 3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  15.     link/ether 94:83:c4:0a:44:5c brd ff:ff:ff:ff:ff:ff
  16.     inet 192.168.0.254/24 brd 192.168.0.255 scope global wan
  17.        valid_lft forever preferred_lft forever
  18.     inet6 fe80::9683:c4ff:fe0a:445c/64 scope link
  19.        valid_lft forever preferred_lft forever
  20. 4: lan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-SECURE state UP group default qlen 1000
  21.     link/ether 94:83:c4:0a:44:5d brd ff:ff:ff:ff:ff:ff
  22. 5: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000
  23.     link/ether 94:83:c4:0a:44:5d brd ff:ff:ff:ff:ff:ff
  24.     inet 192.168.20.1/24 brd 192.168.20.255 scope global lan1
  25.        valid_lft forever preferred_lft forever
  26. 6: br-SECURE: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  27.     link/ether 94:83:c4:0a:44:5d brd ff:ff:ff:ff:ff:ff
  28.     inet 192.168.10.1/24 brd 192.168.10.255 scope global br-SECURE
  29.        valid_lft forever preferred_lft forever
  30.     inet6 fe80::9683:c4ff:fe0a:445d/64 scope link
  31.        valid_lft forever preferred_lft forever
  32. 7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1300 qdisc noqueue state UNKNOWN group default qlen 1000
  33.     link/none
  34.     inet 10.55.0.1/24 brd 10.55.0.255 scope global wg0
  35.        valid_lft forever preferred_lft forever
  36. default via 192.168.0.1 dev wan proto static
  37. 10.55.0.0/24 via 192.168.10.1 dev br-SECURE proto static
  38. 10.55.0.2 dev wg0 proto static scope link
  39. 10.55.0.3 dev wg0 proto static scope link
  40. 172.31.0.0/16 via 192.168.10.2 dev br-SECURE proto static
  41. 192.168.0.0/24 dev wan proto kernel scope link src 192.168.0.254
  42. 192.168.10.0/24 dev br-SECURE proto kernel scope link src 192.168.10.1
  43. 192.168.20.0/24 dev lan1 proto kernel scope link src 192.168.20.1 linkdown
  44. 192.168.255.0/24 via 192.168.10.2 dev br-SECURE proto static
  45. broadcast 10.55.0.0 dev wg0 table local proto kernel scope link src 10.55.0.1
  46. local 10.55.0.1 dev wg0 table local proto kernel scope host src 10.55.0.1
  47. broadcast 10.55.0.255 dev wg0 table local proto kernel scope link src 10.55.0.1
  48. broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
  49. local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
  50. local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
  51. broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
  52. broadcast 192.168.0.0 dev wan table local proto kernel scope link src 192.168.0.254
  53. local 192.168.0.254 dev wan table local proto kernel scope host src 192.168.0.254
  54. broadcast 192.168.0.255 dev wan table local proto kernel scope link src 192.168.0.254
  55. broadcast 192.168.10.0 dev br-SECURE table local proto kernel scope link src 192.168.10.1
  56. local 192.168.10.1 dev br-SECURE table local proto kernel scope host src 192.168.10.1
  57. broadcast 192.168.10.255 dev br-SECURE table local proto kernel scope link src 192.168.10.1
  58. broadcast 192.168.20.0 dev lan1 table local proto kernel scope link src 192.168.20.1 linkdown
  59. local 192.168.20.1 dev lan1 table local proto kernel scope host src 192.168.20.1
  60. broadcast 192.168.20.255 dev lan1 table local proto kernel scope link src 192.168.20.1 linkdown
  61. unreachable fd19:e684:5061::/48 dev lo proto static metric 2147483647 pref medium
  62. fe80::/64 dev eth0 proto kernel metric 256 pref medium
  63. fe80::/64 dev br-SECURE proto kernel metric 256 pref medium
  64. fe80::/64 dev wan proto kernel metric 256 pref medium
  65. local ::1 dev lo table local proto kernel metric 0 pref medium
  66. anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
  67. anycast fe80:: dev br-SECURE table local proto kernel metric 0 pref medium
  68. anycast fe80:: dev wan table local proto kernel metric 0 pref medium
  69. local fe80::9683:c4ff:fe0a:445c dev eth0 table local proto kernel metric 0 pref medium
  70. local fe80::9683:c4ff:fe0a:445c dev wan table local proto kernel metric 0 pref medium
  71. local fe80::9683:c4ff:fe0a:445d dev br-SECURE table local proto kernel metric 0 pref medium
  72. multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
  73. multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium
  74. multicast ff00::/8 dev br-SECURE table local proto kernel metric 256 pref medium
  75. multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
  76. 0:  from all lookup local
  77. 32766:  from all lookup main
  78. 32767:  from all lookup default
  79. # Generated by iptables-save v1.8.7 on Wed Jul 28 23:50:49 2021
  80. *nat
  81. :PREROUTING ACCEPT [2497:194804]
  82. :INPUT ACCEPT [885:96559]
  83. :OUTPUT ACCEPT [504:34791]
  84. :POSTROUTING ACCEPT [2095:132132]
  85. :postrouting_lan_rule - [0:0]
  86. :postrouting_rule - [0:0]
  87. :postrouting_unsecure_rule - [0:0]
  88. :postrouting_wan_rule - [0:0]
  89. :postrouting_wireguard_rule - [0:0]
  90. :prerouting_lan_rule - [0:0]
  91. :prerouting_rule - [0:0]
  92. :prerouting_unsecure_rule - [0:0]
  93. :prerouting_wan_rule - [0:0]
  94. :prerouting_wireguard_rule - [0:0]
  95. :zone_lan_postrouting - [0:0]
  96. :zone_lan_prerouting - [0:0]
  97. :zone_unsecure_postrouting - [0:0]
  98. :zone_unsecure_prerouting - [0:0]
  99. :zone_wan_postrouting - [0:0]
  100. :zone_wan_prerouting - [0:0]
  101. :zone_wireguard_postrouting - [0:0]
  102. :zone_wireguard_prerouting - [0:0]
  103. [2498:194980] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
  104. [2255:175910] -A PREROUTING -i br-SECURE -m comment --comment "!fw3" -j zone_lan_prerouting
  105. [46:5626] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
  106. [0:0] -A PREROUTING -i lan1 -m comment --comment "!fw3" -j zone_unsecure_prerouting
  107. [197:13444] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_wireguard_prerouting
  108. [2095:132132] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
  109. [29:3100] -A POSTROUTING -o br-SECURE -m comment --comment "!fw3" -j zone_lan_postrouting
  110. [2061:128734] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
  111. [0:0] -A POSTROUTING -o lan1 -m comment --comment "!fw3" -j zone_unsecure_postrouting
  112. [0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_wireguard_postrouting
  113. [29:3100] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
  114. [2255:175910] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
  115. [0:0] -A zone_unsecure_postrouting -m comment --comment "!fw3: Custom unsecure postrouting rule chain" -j postrouting_unsecure_rule
  116. [0:0] -A zone_unsecure_prerouting -m comment --comment "!fw3: Custom unsecure prerouting rule chain" -j prerouting_unsecure_rule
  117. [2061:128734] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
  118. [46:5626] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
  119. [0:0] -A zone_wan_prerouting -p udp -m udp --dport 1194 -m comment --comment "!fw3: OpenVPN" -j DNAT --to-destination 192.168.10.118:1194
  120. [1:176] -A zone_wan_prerouting -p udp -m udp --dport 1337 -m comment --comment "!fw3: WireguardVPN" -j DNAT --to-destination 192.168.10.1:1337
  121. [0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 5060:5076 -m comment --comment "!fw3: Gigaset-IP-Phone-SIP" -j DNAT --to-destination 192.168.10.90:5060-5076
  122. [0:0] -A zone_wan_prerouting -p udp -m udp --dport 5060:5076 -m comment --comment "!fw3: Gigaset-IP-Phone-SIP" -j DNAT --to-destination 192.168.10.90:5060-5076
  123. [0:0] -A zone_wan_prerouting -p udp -m udp --dport 5004:5020 -m comment --comment "!fw3: Gigaset-IP-Phone-RTP" -j DNAT --to-destination 192.168.10.90:5004-5020
  124. [0:0] -A zone_wireguard_postrouting -m comment --comment "!fw3: Custom wireguard postrouting rule chain" -j postrouting_wireguard_rule
  125. [197:13444] -A zone_wireguard_prerouting -m comment --comment "!fw3: Custom wireguard prerouting rule chain" -j prerouting_wireguard_rule
  126. COMMIT
  127. # Completed on Wed Jul 28 23:50:49 2021
  128. # Generated by iptables-save v1.8.7 on Wed Jul 28 23:50:49 2021
  129. *mangle
  130. :PREROUTING ACCEPT [44418:13838693]
  131. :INPUT ACCEPT [6333:827292]
  132. :FORWARD ACCEPT [38063:13010321]
  133. :OUTPUT ACCEPT [3735:910695]
  134. :POSTROUTING ACCEPT [41829:13923938]
  135. [362:22356] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  136. [359:21040] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  137. COMMIT
  138. # Completed on Wed Jul 28 23:50:49 2021
  139. # Generated by iptables-save v1.8.7 on Wed Jul 28 23:50:49 2021
  140. *filter
  141. :INPUT ACCEPT [0:0]
  142. :FORWARD DROP [0:0]
  143. :OUTPUT ACCEPT [0:0]
  144. :forwarding_lan_rule - [0:0]
  145. :forwarding_rule - [0:0]
  146. :forwarding_unsecure_rule - [0:0]
  147. :forwarding_wan_rule - [0:0]
  148. :forwarding_wireguard_rule - [0:0]
  149. :input_lan_rule - [0:0]
  150. :input_rule - [0:0]
  151. :input_unsecure_rule - [0:0]
  152. :input_wan_rule - [0:0]
  153. :input_wireguard_rule - [0:0]
  154. :output_lan_rule - [0:0]
  155. :output_rule - [0:0]
  156. :output_unsecure_rule - [0:0]
  157. :output_wan_rule - [0:0]
  158. :output_wireguard_rule - [0:0]
  159. :reject - [0:0]
  160. :syn_flood - [0:0]
  161. :zone_lan_dest_ACCEPT - [0:0]
  162. :zone_lan_forward - [0:0]
  163. :zone_lan_input - [0:0]
  164. :zone_lan_output - [0:0]
  165. :zone_lan_src_ACCEPT - [0:0]
  166. :zone_unsecure_dest_ACCEPT - [0:0]
  167. :zone_unsecure_dest_REJECT - [0:0]
  168. :zone_unsecure_forward - [0:0]
  169. :zone_unsecure_input - [0:0]
  170. :zone_unsecure_output - [0:0]
  171. :zone_unsecure_src_ACCEPT - [0:0]
  172. :zone_wan_dest_ACCEPT - [0:0]
  173. :zone_wan_forward - [0:0]
  174. :zone_wan_input - [0:0]
  175. :zone_wan_output - [0:0]
  176. :zone_wan_src_ACCEPT - [0:0]
  177. :zone_wireguard_dest_ACCEPT - [0:0]
  178. :zone_wireguard_forward - [0:0]
  179. :zone_wireguard_input - [0:0]
  180. :zone_wireguard_output - [0:0]
  181. :zone_wireguard_src_ACCEPT - [0:0]
  182. [20:1428] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  183. [6313:825864] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  184. [4413:534579] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  185. [5:312] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
  186. [1663:270801] -A INPUT -i br-SECURE -m comment --comment "!fw3" -j zone_lan_input
  187. [40:7040] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
  188. [0:0] -A INPUT -i lan1 -m comment --comment "!fw3" -j zone_unsecure_input
  189. [197:13444] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wireguard_input
  190. [38063:13010321] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
  191. [32470:12660283] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  192. [5593:350038] -A FORWARD -m comment --comment "!fw3: Zone * to lan forwarding policy" -j zone_lan_dest_ACCEPT
  193. [5547:346224] -A FORWARD -i br-SECURE -m comment --comment "!fw3" -j zone_lan_forward
  194. [0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
  195. [0:0] -A FORWARD -i lan1 -m comment --comment "!fw3" -j zone_unsecure_forward
  196. [0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wireguard_forward
  197. [0:0] -A FORWARD -m comment --comment "!fw3" -j reject
  198. [20:1428] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  199. [3717:909093] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  200. [2932:827182] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  201. [19:1166] -A OUTPUT -o br-SECURE -m comment --comment "!fw3" -j zone_lan_output
  202. [766:80745] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
  203. [0:0] -A OUTPUT -o lan1 -m comment --comment "!fw3" -j zone_unsecure_output
  204. [0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wireguard_output
  205. [0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  206. [0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
  207. [5:312] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  208. [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
  209. [65:4980] -A zone_lan_dest_ACCEPT -o br-SECURE -m comment --comment "!fw3" -j ACCEPT
  210. [5547:346224] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
  211. [5547:346224] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
  212. [0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  213. [0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  214. [1663:270801] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
  215. [0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  216. [1663:270801] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
  217. [19:1166] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
  218. [19:1166] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  219. [1663:270801] -A zone_lan_src_ACCEPT -i br-SECURE -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  220. [0:0] -A zone_unsecure_dest_ACCEPT -o lan1 -m comment --comment "!fw3" -j ACCEPT
  221. [0:0] -A zone_unsecure_dest_REJECT -o lan1 -m comment --comment "!fw3" -j reject
  222. [0:0] -A zone_unsecure_forward -m comment --comment "!fw3: Custom unsecure forwarding rule chain" -j forwarding_unsecure_rule
  223. [0:0] -A zone_unsecure_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  224. [0:0] -A zone_unsecure_forward -m comment --comment "!fw3" -j zone_unsecure_dest_REJECT
  225. [0:0] -A zone_unsecure_input -m comment --comment "!fw3: Custom unsecure input rule chain" -j input_unsecure_rule
  226. [0:0] -A zone_unsecure_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  227. [0:0] -A zone_unsecure_input -m comment --comment "!fw3" -j zone_unsecure_src_ACCEPT
  228. [0:0] -A zone_unsecure_output -m comment --comment "!fw3: Custom unsecure output rule chain" -j output_unsecure_rule
  229. [0:0] -A zone_unsecure_output -m comment --comment "!fw3" -j zone_unsecure_dest_ACCEPT
  230. [0:0] -A zone_unsecure_src_ACCEPT -i lan1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  231. [6313:426969] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
  232. [0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
  233. [0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
  234. [0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
  235. [0:0] -A zone_wan_forward -p udp -m udp --sport 3478 --dport 3478 -m comment --comment "!fw3: Allow-Alexa" -j zone_lan_dest_ACCEPT
  236. [0:0] -A zone_wan_forward -p tcp -m tcp --sport 4070 --dport 4070 -m comment --comment "!fw3: Allow-Sonos-Spotify-Connect" -j zone_lan_dest_ACCEPT
  237. [0:0] -A zone_wan_forward -p udp -m udp --sport 5353 --dport 5353 -m comment --comment "!fw3: Allow-Sonos-Spotify-Connect" -j zone_lan_dest_ACCEPT
  238. [0:0] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to * forwarding policy" -j ACCEPT
  239. [0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  240. [0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  241. [40:7040] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
  242. [0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  243. [0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  244. [8:288] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
  245. [1:176] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  246. [31:6576] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
  247. [766:80745] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
  248. [766:80745] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  249. [31:6576] -A zone_wan_src_ACCEPT -i wan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  250. [0:0] -A zone_wireguard_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
  251. [0:0] -A zone_wireguard_forward -m comment --comment "!fw3: Custom wireguard forwarding rule chain" -j forwarding_wireguard_rule
  252. [0:0] -A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to lan forwarding policy" -j zone_lan_dest_ACCEPT
  253. [0:0] -A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to wan forwarding policy" -j zone_wan_dest_ACCEPT
  254. [0:0] -A zone_wireguard_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  255. [0:0] -A zone_wireguard_forward -m comment --comment "!fw3" -j zone_wireguard_dest_ACCEPT
  256. [197:13444] -A zone_wireguard_input -m comment --comment "!fw3: Custom wireguard input rule chain" -j input_wireguard_rule
  257. [0:0] -A zone_wireguard_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  258. [197:13444] -A zone_wireguard_input -m comment --comment "!fw3" -j zone_wireguard_src_ACCEPT
  259. [0:0] -A zone_wireguard_output -m comment --comment "!fw3: Custom wireguard output rule chain" -j output_wireguard_rule
  260. [0:0] -A zone_wireguard_output -m comment --comment "!fw3" -j zone_wireguard_dest_ACCEPT
  261. [197:13444] -A zone_wireguard_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  262. COMMIT
  263. # Completed on Wed Jul 28 23:50:49 2021
  264. interface: wg0
  265.   public key: dxxx
  266.   private key: (hidden)
  267.   listening port: 1337
  268.  
  269. peer: oxxxYM6QE=
  270.   endpoint: xxxx:58984
  271.   allowed ips: 10.55.0.2/32
  272.   latest handshake: 1 minute, 22 seconds ago
  273.   transfer: 677.77 KiB received, 1.22 MiB sent
  274.   persistent keepalive: every 25 seconds
  275.  
  276. peer: xxx=
  277.   endpoint: xxxxx:1037
  278.   allowed ips: 10.55.0.3/32
  279.   latest handshake: 2 hours, 33 minutes, 5 seconds ago
  280.   transfer: 19.97 KiB received, 412.39 KiB sent
  281.   persistent keepalive: every 25 seconds
  282. network.loopback=interface
  283. network.loopback.ifname='lo'
  284. network.loopback.proto='static'
  285. network.loopback.ipaddr='127.0.0.1'
  286. network.loopback.netmask='255.0.0.0'
  287. network.globals=globals
  288. network.globals.ula_prefix='xxx'
  289. network.wan=interface
  290. network.wan.ifname='wan'
  291. network.wan.delegate='0'
  292. network.wan.proto='static'
  293. network.wan.force_link='0'
  294. network.wan.ipaddr='192.168.0.254'
  295. network.wan.netmask='255.255.255.0'
  296. network.wan.gateway='192.168.0.1'
  297. network.wan6=interface
  298. network.wan6.ifname='wan'
  299. network.wan6.proto='static'
  300. network.wan6.auto='0'
  301. network.SECURE=interface
  302. network.SECURE.proto='static'
  303. network.SECURE.ifname='lan0'
  304. network.SECURE.netmask='255.255.255.0'
  305. network.SECURE.delegate='0'
  306. network.SECURE.force_link='0'
  307. network.SECURE.ipaddr='192.168.10.1'
  308. network.SECURE.gateway='192.168.0.1'
  309. network.SECURE.type='bridge'
  310. network.SECURE.igmp_snooping='1'
  311. network.SECURE.dns='192.168.10.1'
  312. network.UNSECURE=interface
  313. network.UNSECURE.proto='static'
  314. network.UNSECURE.ifname='lan1'
  315. network.UNSECURE.ipaddr='192.168.20.1'
  316. network.UNSECURE.netmask='255.255.255.0'
  317. network.UNSECURE.dns='192.168.10.108'
  318. network.UNSECURE.gateway='192.168.0.1'
  319. network.@route[0]=route
  320. network.@route[0].target='192.168.255.0'
  321. network.@route[0].netmask='255.255.255.0'
  322. network.@route[0].gateway='192.168.10.2'
  323. network.@route[0].interface='SECURE'
  324. network.@route[1]=route
  325. network.@route[1].interface='SECURE'
  326. network.@route[1].target='172.31.0.0'
  327. network.@route[1].netmask='255.255.0.0'
  328. network.@route[1].gateway='192.168.10.2'
  329. network.wg0=interface
  330. network.wg0.proto='wireguard'
  331. network.wg0.private_key='xxx'
  332. network.wg0.listen_port='1337'
  333. network.wg0.addresses='10.55.0.1/24'
  334. network.wg0.mtu='1300'
  335. network.@route[2]=route
  336. network.@route[2].interface='SECURE'
  337. network.@route[2].target='10.55.0.0/24'
  338. network.@route[2].netmask='255.255.255.0'
  339. network.@route[2].gateway='192.168.10.1'
  340. network.@wireguard_wg0[0]=wireguard_wg0
  341. network.@wireguard_wg0[0].description='MacbookAir'
  342. network.@wireguard_wg0[0].public_key='xxx'
  343. network.@wireguard_wg0[0].route_allowed_ips='1'
  344. network.@wireguard_wg0[0].persistent_keepalive='25'
  345. network.@wireguard_wg0[0].allowed_ips='10.55.0.2/32'
  346. network.@wireguard_wg0[1]=wireguard_wg0
  347. network.@wireguard_wg0[1].description='iPhone'
  348. network.@wireguard_wg0[1].route_allowed_ips='1'
  349. network.@wireguard_wg0[1].persistent_keepalive='25'
  350. network.@wireguard_wg0[1].public_key='xxx='
  351. network.@wireguard_wg0[1].allowed_ips='10.55.0.3/32'
  352. network.@route[3]=route
  353. network.@route[3].interface='SECURE'
  354. network.@route[3].netmask='255.255.255.0'
  355. network.@route[3].target='192.168.0.1'
  356. network.@route[3].gateway='192.168.10.1'
  357. firewall.@defaults[0]=defaults
  358. firewall.@defaults[0].input='ACCEPT'
  359. firewall.@defaults[0].output='ACCEPT'
  360. firewall.@defaults[0].forward='REJECT'
  361. firewall.@defaults[0].synflood_protect='1'
  362. firewall.@zone[0]=zone
  363. firewall.@zone[0].name='lan'
  364. firewall.@zone[0].input='ACCEPT'
  365. firewall.@zone[0].output='ACCEPT'
  366. firewall.@zone[0].forward='ACCEPT'
  367. firewall.@zone[0].network='SECURE'
  368. firewall.@zone[1]=zone
  369. firewall.@zone[1].name='wan'
  370. firewall.@zone[1].output='ACCEPT'
  371. firewall.@zone[1].mtu_fix='1'
  372. firewall.@zone[1].network='wan' 'wan6'
  373. firewall.@zone[1].input='ACCEPT'
  374. firewall.@zone[1].forward='ACCEPT'
  375. firewall.@forwarding[0]=forwarding
  376. firewall.@forwarding[0].src='lan'
  377. firewall.@forwarding[0].dest='wan'
  378. firewall.@rule[0]=rule
  379. firewall.@rule[0].name='Allow-DHCP-Renew'
  380. firewall.@rule[0].src='wan'
  381. firewall.@rule[0].proto='udp'
  382. firewall.@rule[0].dest_port='68'
  383. firewall.@rule[0].target='ACCEPT'
  384. firewall.@rule[0].family='ipv4'
  385. firewall.@rule[1]=rule
  386. firewall.@rule[1].name='Allow-Ping'
  387. firewall.@rule[1].src='wan'
  388. firewall.@rule[1].proto='icmp'
  389. firewall.@rule[1].icmp_type='echo-request'
  390. firewall.@rule[1].family='ipv4'
  391. firewall.@rule[1].target='ACCEPT'
  392. firewall.@rule[2]=rule
  393. firewall.@rule[2].name='Allow-IGMP'
  394. firewall.@rule[2].src='wan'
  395. firewall.@rule[2].proto='igmp'
  396. firewall.@rule[2].family='ipv4'
  397. firewall.@rule[2].target='ACCEPT'
  398. firewall.@rule[3]=rule
  399. firewall.@rule[3].name='Allow-DHCPv6'
  400. firewall.@rule[3].src='wan'
  401. firewall.@rule[3].proto='udp'
  402. firewall.@rule[3].src_ip='fc00::/6'
  403. firewall.@rule[3].dest_ip='fc00::/6'
  404. firewall.@rule[3].dest_port='546'
  405. firewall.@rule[3].family='ipv6'
  406. firewall.@rule[3].target='ACCEPT'
  407. firewall.@rule[4]=rule
  408. firewall.@rule[4].name='Allow-MLD'
  409. firewall.@rule[4].src='wan'
  410. firewall.@rule[4].proto='icmp'
  411. firewall.@rule[4].src_ip='fe80::/10'
  412. firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
  413. firewall.@rule[4].family='ipv6'
  414. firewall.@rule[4].target='ACCEPT'
  415. firewall.@rule[5]=rule
  416. firewall.@rule[5].name='Allow-ICMPv6-Input'
  417. firewall.@rule[5].src='wan'
  418. firewall.@rule[5].proto='icmp'
  419. firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
  420. firewall.@rule[5].limit='1000/sec'
  421. firewall.@rule[5].family='ipv6'
  422. firewall.@rule[5].target='ACCEPT'
  423. firewall.@rule[6]=rule
  424. firewall.@rule[6].name='Allow-ICMPv6-Forward'
  425. firewall.@rule[6].src='wan'
  426. firewall.@rule[6].dest='*'
  427. firewall.@rule[6].proto='icmp'
  428. firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
  429. firewall.@rule[6].limit='1000/sec'
  430. firewall.@rule[6].family='ipv6'
  431. firewall.@rule[6].target='ACCEPT'
  432. firewall.@rule[7]=rule
  433. firewall.@rule[7].name='Allow-IPSec-ESP'
  434. firewall.@rule[7].src='wan'
  435. firewall.@rule[7].dest='lan'
  436. firewall.@rule[7].proto='esp'
  437. firewall.@rule[7].target='ACCEPT'
  438. firewall.@rule[8]=rule
  439. firewall.@rule[8].name='Allow-ISAKMP'
  440. firewall.@rule[8].src='wan'
  441. firewall.@rule[8].dest='lan'
  442. firewall.@rule[8].dest_port='500'
  443. firewall.@rule[8].proto='udp'
  444. firewall.@rule[8].target='ACCEPT'
  445. firewall.@rule[9]=rule
  446. firewall.@rule[9].name='Support-UDP-Traceroute'
  447. firewall.@rule[9].src='wan'
  448. firewall.@rule[9].dest_port='33434:33689'
  449. firewall.@rule[9].proto='udp'
  450. firewall.@rule[9].family='ipv4'
  451. firewall.@rule[9].target='REJECT'
  452. firewall.@rule[9].enabled='0'
  453. firewall.@include[0]=include
  454. firewall.@include[0].path='/etc/firewall.user'
  455. firewall.@zone[2]=zone
  456. firewall.@zone[2].name='unsecure'
  457. firewall.@zone[2].input='ACCEPT'
  458. firewall.@zone[2].output='ACCEPT'
  459. firewall.@zone[2].forward='REJECT'
  460. firewall.@zone[2].network='UNSECURE'
  461. firewall.@redirect[0]=redirect
  462. firewall.@redirect[0].target='DNAT'
  463. firewall.@redirect[0].name='OpenVPN'
  464. firewall.@redirect[0].proto='udp'
  465. firewall.@redirect[0].src='wan'
  466. firewall.@redirect[0].src_dport='1194'
  467. firewall.@redirect[0].dest='lan'
  468. firewall.@redirect[0].dest_ip='192.168.10.118'
  469. firewall.@redirect[0].dest_port='1194'
  470. firewall.@redirect[1]=redirect
  471. firewall.@redirect[1].target='DNAT'
  472. firewall.@redirect[1].name='WireguardVPN'
  473. firewall.@redirect[1].proto='udp'
  474. firewall.@redirect[1].src='wan'
  475. firewall.@redirect[1].src_dport='1337'
  476. firewall.@redirect[1].dest='lan'
  477. firewall.@redirect[1].dest_ip='192.168.10.1'
  478. firewall.@redirect[1].dest_port='1337'
  479. firewall.@rule[10]=rule
  480. firewall.@rule[10].proto='udp'
  481. firewall.@rule[10].src='wan'
  482. firewall.@rule[10].src_port='3478'
  483. firewall.@rule[10].dest='lan'
  484. firewall.@rule[10].dest_port='3478'
  485. firewall.@rule[10].target='ACCEPT'
  486. firewall.@rule[10].name='Allow-Alexa'
  487. firewall.@rule[11]=rule
  488. firewall.@rule[11].name='Allow-Sonos-Spotify-Connect'
  489. firewall.@rule[11].proto='tcp'
  490. firewall.@rule[11].src='wan'
  491. firewall.@rule[11].src_port='4070'
  492. firewall.@rule[11].dest='lan'
  493. firewall.@rule[11].dest_port='4070'
  494. firewall.@rule[11].target='ACCEPT'
  495. firewall.@rule[12]=rule
  496. firewall.@rule[12].name='Allow-Sonos-Spotify-Connect'
  497. firewall.@rule[12].proto='udp'
  498. firewall.@rule[12].src='wan'
  499. firewall.@rule[12].src_port='5353   '
  500. firewall.@rule[12].dest='lan'
  501. firewall.@rule[12].dest_port='5353  '
  502. firewall.@rule[12].target='ACCEPT'
  503. firewall.@forwarding[1]=forwarding
  504. firewall.@forwarding[1].dest='lan'
  505. firewall.@forwarding[2]=forwarding
  506. firewall.@forwarding[2].src='wan'
  507. firewall.@zone[3]=zone
  508. firewall.@zone[3].name='wireguard'
  509. firewall.@zone[3].input='ACCEPT'
  510. firewall.@zone[3].output='ACCEPT'
  511. firewall.@zone[3].forward='ACCEPT'
  512. firewall.@zone[3].network='wg0'
  513. firewall.@forwarding[3]=forwarding
  514. firewall.@forwarding[3].src='wireguard'
  515. firewall.@forwarding[3].dest='lan'
  516. firewall.@forwarding[4]=forwarding
  517. firewall.@forwarding[4].src='wireguard'
  518. firewall.@forwarding[4].dest='wan'
  519. firewall.@redirect[2]=redirect
  520. firewall.@redirect[2].target='DNAT'
  521. firewall.@redirect[2].src='wan'
  522. firewall.@redirect[2].src_dport='5060-5076'
  523. firewall.@redirect[2].dest='lan'
  524. firewall.@redirect[2].dest_ip='192.168.10.90'
  525. firewall.@redirect[2].dest_port='5060-5076'
  526. firewall.@redirect[2].name='Gigaset-IP-Phone-SIP'
  527. firewall.@redirect[3]=redirect
  528. firewall.@redirect[3].target='DNAT'
  529. firewall.@redirect[3].proto='udp'
  530. firewall.@redirect[3].src='wan'
  531. firewall.@redirect[3].src_dport='5004-5020'
  532. firewall.@redirect[3].dest='lan'
  533. firewall.@redirect[3].dest_ip='192.168.10.90'
  534. firewall.@redirect[3].dest_port='5004-5020'
  535. firewall.@redirect[3].name='Gigaset-IP-Phone-RTP'
  536. dhcp.@dnsmasq[0]=dnsmasq
  537. dhcp.@dnsmasq[0].domainneeded='1'
  538. dhcp.@dnsmasq[0].localise_queries='1'
  539. dhcp.@dnsmasq[0].rebind_protection='1'
  540. dhcp.@dnsmasq[0].rebind_localhost='1'
  541. dhcp.@dnsmasq[0].expandhosts='1'
  542. dhcp.@dnsmasq[0].authoritative='1'
  543. dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
  544. dhcp.@dnsmasq[0].localservice='1'
  545. dhcp.@dnsmasq[0].ednspacket_max='1232'
  546. dhcp.@dnsmasq[0].leasefile='/share/dhcp.leases'
  547. dhcp.@dnsmasq[0].local='/home/'
  548. dhcp.@dnsmasq[0].domain='home'
  549. dhcp.@dnsmasq[0].nohosts='1'
  550. dhcp.@dnsmasq[0].addnhosts='/share/hosts'
  551. dhcp.lan=dhcp
  552. dhcp.lan.interface='lan'
  553. dhcp.lan.start='100'
  554. dhcp.lan.limit='150'
  555. dhcp.lan.leasetime='12h'
  556. dhcp.lan.dhcpv4='server'
  557. dhcp.lan.dhcpv6='server'
  558. dhcp.lan.ra='server'
  559. dhcp.lan.ra_slaac='1'
  560. dhcp.lan.ra_flags='managed-config' 'other-config'
  561. dhcp.lan.ra_maxinterval='600'
  562. dhcp.lan.ra_mininterval='200'
  563. dhcp.lan.ra_lifetime='1800'
  564. dhcp.lan.ra_mtu='0'
  565. dhcp.lan.ra_hoplimit='0'
  566. dhcp.lan.ra_management='1'
  567. dhcp.wan=dhcp
  568. dhcp.wan.interface='wan'
  569. dhcp.wan.ignore='1'
  570. dhcp.odhcpd=odhcpd
  571. dhcp.odhcpd.maindhcp='0'
  572. dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
  573. dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
  574. dhcp.odhcpd.loglevel='4'
  575. dhcp.SECURE=dhcp
  576. dhcp.SECURE.interface='SECURE'
  577. dhcp.SECURE.start='200'
  578. dhcp.SECURE.limit='254'
  579. dhcp.SECURE.leasetime='24h'
  580. dhcp.SECURE.force='1'
  581. dhcp.UNSECURE=dhcp
  582. dhcp.UNSECURE.interface='UNSECURE'
  583. dhcp.UNSECURE.start='100'
  584. dhcp.UNSECURE.limit='150'
  585. dhcp.UNSECURE.leasetime='12h'
  586. dhcp.UNSECURE.force='1'
  587. ==> /etc/resolv.conf <==
  588. search home
  589. nameserver 127.0.0.1
  590. nameserver ::1
  591.  
  592. ==> /tmp/resolv.conf <==
  593. search home
  594. nameserver 127.0.0.1
  595. nameserver ::1
  596.  
  597. ==> /tmp/resolv.conf.d <==
  598. head: /tmp/resolv.conf.d: I/O error
  599.  
  600. ==> /tmp/resolv.conf.d/resolv.conf.auto <==
  601. # Interface SECURE
  602. nameserver 192.168.10.1
  603. # Interface UNSECURE
  604. nameserver 192.168.10.108
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement