Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@OpenWrt:~# ubus call system board; uci show network; uci show firewall; \
- > ip address show; ip route show table all; ip rule show; iptables-save -c
- {
- "kernel": "4.14.131",
- "hostname": "OpenWrt",
- "system": "ARMv7 Processor rev 0 (v7l)",
- "model": "Netgear Nighthawk X4S R7800",
- "board_name": "netgear,r7800",
- "release": {
- "distribution": "OpenWrt",
- "version": "18.06.4",
- "revision": "r7808-ef686b7292",
- "target": "ipq806x\/generic",
- "description": "OpenWrt 18.06.4 r7808-ef686b7292"
- }
- }
- network.loopback=interface
- network.loopback.ifname='lo'
- network.loopback.proto='static'
- network.loopback.ipaddr='127.0.0.1'
- network.loopback.netmask='255.0.0.0'
- network.globals=globals
- network.globals.ula_prefix='fd8a:6052:7773::/48'
- network.lan=interface
- network.lan.type='bridge'
- network.lan.ifname='eth1.1'
- network.lan.proto='static'
- network.lan.ipaddr='10.0.0.1'
- network.lan.netmask='255.255.255.0'
- network.lan.ip6assign='60'
- network.wan=interface
- network.wan.ifname='eth0.2'
- network.wan.proto='dhcp'
- network.wan.peerdns='0'
- network.wan.dns='1.1.1.1 1.0.0.1'
- network.@switch[0]=switch
- network.@switch[0].name='switch0'
- network.@switch[0].reset='1'
- network.@switch[0].enable_vlan='1'
- network.@switch_vlan[0]=switch_vlan
- network.@switch_vlan[0].device='switch0'
- network.@switch_vlan[0].vlan='1'
- network.@switch_vlan[0].ports='1 2 3 4 6t'
- network.@switch_vlan[1]=switch_vlan
- network.@switch_vlan[1].device='switch0'
- network.@switch_vlan[1].vlan='2'
- network.@switch_vlan[1].ports='5 0t'
- network.WAN6=interface
- network.WAN6.proto='dhcpv6'
- network.WAN6.ifname='eth0.2'
- network.WAN6.reqaddress='try'
- network.WAN6.reqprefix='auto'
- network.WAN6.auto='0'
- network.PIA_VPN=interface
- network.PIA_VPN.proto='none'
- network.PIA_VPN.ifname='tun1'
- network.PIA_VPN.auto='1'
- network.VPN_SERVER=interface
- network.VPN_SERVER.proto='none'
- network.VPN_SERVER.ifname='tun0'
- network.VPN_SERVER.auto='1'
- network.TEST_WG_PIA=interface
- network.TEST_WG_PIA.proto='wireguard'
- network.TEST_WG_PIA.private_key='='**************''
- network.TEST_WG_PIA.addresses='='**************''
- network.@wireguard_TEST_WG_PIA[0]=wireguard_TEST_WG_PIA
- network.@wireguard_TEST_WG_PIA[0].endpoint_port='1337'
- network.@wireguard_TEST_WG_PIA[0].persistent_keepalive='25'
- network.@wireguard_TEST_WG_PIA[0].allowed_ips='0.0.0.0/0' '::/0'
- network.@wireguard_TEST_WG_PIA[0].description='PIA_italy'
- network.@wireguard_TEST_WG_PIA[0].public_key='**************'
- network.@wireguard_TEST_WG_PIA[0].endpoint_host='='**************''
- firewall.@defaults[0]=defaults
- firewall.@defaults[0].syn_flood='1'
- firewall.@defaults[0].input='ACCEPT'
- firewall.@defaults[0].output='ACCEPT'
- firewall.@defaults[0].forward='ACCEPT'
- firewall.@zone[0]=zone
- firewall.@zone[0].name='lan'
- firewall.@zone[0].input='ACCEPT'
- firewall.@zone[0].output='ACCEPT'
- firewall.@zone[0].forward='ACCEPT'
- firewall.@zone[0].device='tun0'
- firewall.@zone[0].network='lan'
- firewall.@zone[1]=zone
- firewall.@zone[1].name='wan'
- firewall.@zone[1].input='REJECT'
- firewall.@zone[1].output='ACCEPT'
- firewall.@zone[1].forward='REJECT'
- firewall.@zone[1].masq='1'
- firewall.@zone[1].mtu_fix='1'
- firewall.@zone[1].network='WAN6 wan'
- firewall.@rule[0]=rule
- firewall.@rule[0].name='Allow-DHCP-Renew'
- firewall.@rule[0].src='wan'
- firewall.@rule[0].proto='udp'
- firewall.@rule[0].dest_port='68'
- firewall.@rule[0].target='ACCEPT'
- firewall.@rule[0].family='ipv4'
- firewall.@rule[1]=rule
- firewall.@rule[1].name='Allow-Ping'
- firewall.@rule[1].src='wan'
- firewall.@rule[1].proto='icmp'
- firewall.@rule[1].icmp_type='echo-request'
- firewall.@rule[1].family='ipv4'
- firewall.@rule[1].target='ACCEPT'
- firewall.@rule[2]=rule
- firewall.@rule[2].name='Allow-IGMP'
- firewall.@rule[2].src='wan'
- firewall.@rule[2].proto='igmp'
- firewall.@rule[2].family='ipv4'
- firewall.@rule[2].target='ACCEPT'
- firewall.@rule[3]=rule
- firewall.@rule[3].name='Allow-DHCPv6'
- firewall.@rule[3].src='wan'
- firewall.@rule[3].proto='udp'
- firewall.@rule[3].src_ip='fc00::/6'
- firewall.@rule[3].dest_ip='fc00::/6'
- firewall.@rule[3].dest_port='546'
- firewall.@rule[3].family='ipv6'
- firewall.@rule[3].target='ACCEPT'
- firewall.@rule[4]=rule
- firewall.@rule[4].name='Allow-MLD'
- firewall.@rule[4].src='wan'
- firewall.@rule[4].proto='icmp'
- firewall.@rule[4].src_ip='fe80::/10'
- firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
- firewall.@rule[4].family='ipv6'
- firewall.@rule[4].target='ACCEPT'
- firewall.@rule[5]=rule
- firewall.@rule[5].name='Allow-ICMPv6-Input'
- firewall.@rule[5].src='wan'
- firewall.@rule[5].proto='icmp'
- firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
- firewall.@rule[5].limit='1000/sec'
- firewall.@rule[5].family='ipv6'
- firewall.@rule[5].target='ACCEPT'
- firewall.@rule[6]=rule
- firewall.@rule[6].name='Allow-ICMPv6-Forward'
- firewall.@rule[6].src='wan'
- firewall.@rule[6].dest='*'
- firewall.@rule[6].proto='icmp'
- firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
- firewall.@rule[6].limit='1000/sec'
- firewall.@rule[6].family='ipv6'
- firewall.@rule[6].target='ACCEPT'
- firewall.@rule[7]=rule
- firewall.@rule[7].name='Allow-IPSec-ESP'
- firewall.@rule[7].src='wan'
- firewall.@rule[7].dest='lan'
- firewall.@rule[7].proto='esp'
- firewall.@rule[7].target='ACCEPT'
- firewall.@rule[8]=rule
- firewall.@rule[8].name='Allow-ISAKMP'
- firewall.@rule[8].src='wan'
- firewall.@rule[8].dest='lan'
- firewall.@rule[8].dest_port='500'
- firewall.@rule[8].proto='udp'
- firewall.@rule[8].target='ACCEPT'
- firewall.@include[0]=include
- firewall.@include[0].path='/etc/firewall.user'
- firewall.miniupnpd=include
- firewall.miniupnpd.type='script'
- firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
- firewall.miniupnpd.family='any'
- firewall.miniupnpd.reload='1'
- firewall.lan_wan=forwarding
- firewall.lan_wan.dest='wan'
- firewall.lan_wan.src='lan'
- firewall.@zone[2]=zone
- firewall.@zone[2].output='ACCEPT'
- firewall.@zone[2].name='pia'
- firewall.@zone[2].masq='1'
- firewall.@zone[2].mtu_fix='1'
- firewall.@zone[2].network='PIA_VPN'
- firewall.@zone[2].input='REJECT'
- firewall.@zone[2].forward='REJECT'
- firewall.ovpn=rule
- firewall.ovpn.name='Allow-OpenVPN'
- firewall.ovpn.src='wan'
- firewall.ovpn.dest_port='1194'
- firewall.ovpn.proto='udp'
- firewall.ovpn.target='ACCEPT'
- firewall.@redirect[0]=redirect
- firewall.@redirect[0].target='DNAT'
- firewall.@redirect[0].src='wan'
- firewall.@redirect[0].dest_ip='10.0.0.100'
- firewall.@redirect[0].dest='lan'
- firewall.@redirect[0].name='Ftp-Rule1'
- firewall.@redirect[0].src_dport='20-21'
- firewall.@redirect[0].dest_port='20-21'
- firewall.@redirect[0].proto='tcp'
- firewall.@redirect[1]=redirect
- firewall.@redirect[1].target='DNAT'
- firewall.@redirect[1].src='wan'
- firewall.@redirect[1].dest='lan'
- firewall.@redirect[1].dest_ip='10.0.0.100'
- firewall.@redirect[1].name='Ftp-Rule2'
- firewall.@redirect[1].src_dport='6900-7000'
- firewall.@redirect[1].dest_port='6900-7000'
- firewall.@redirect[1].proto='tcp'
- firewall.@zone[3]=zone
- firewall.@zone[3].name='TEST_PIA_WG'
- firewall.@zone[3].output='ACCEPT'
- firewall.@zone[3].network='TEST_WG_PIA'
- firewall.@zone[3].masq='1'
- firewall.@zone[3].mtu_fix='1'
- firewall.@zone[3].input='REJECT'
- firewall.@zone[3].forward='REJECT'
- firewall.@forwarding[1]=forwarding
- firewall.@forwarding[1].dest='pia'
- firewall.@forwarding[1].src='lan'
- firewall.@forwarding[2]=forwarding
- firewall.@forwarding[2].dest='TEST_PIA_WG'
- firewall.@forwarding[2].src='lan'
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
- 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
- link/ether b0:7f:b9:3e:44:80 brd ff:ff:ff:ff:ff:ff
- inet6 fe80::b27f:b9ff:fe3e:4480/64 scope link
- valid_lft forever preferred_lft forever
- 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
- link/ether b0:7f:b9:3e:44:7f brd ff:ff:ff:ff:ff:ff
- inet6 fe80::b27f:b9ff:fe3e:447f/64 scope link
- valid_lft forever preferred_lft forever
- 4: eth1.1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
- link/ether b0:7f:b9:3e:44:7f brd ff:ff:ff:ff:ff:ff
- inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1.1
- valid_lft forever preferred_lft forever
- 5: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
- link/ether 36:68:5c:0e:c2:dd brd ff:ff:ff:ff:ff:ff
- 6: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
- link/ether da:be:8c:b6:51:e6 brd ff:ff:ff:ff:ff:ff
- 7: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
- link/void
- 15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
- link/ether b0:7f:b9:3e:44:7f brd ff:ff:ff:ff:ff:ff
- inet 10.0.0.1/24 brd 10.0.0.255 scope global br-lan
- valid_lft forever preferred_lft forever
- inet6 fd8a:6052:7773::1/60 scope global noprefixroute
- valid_lft forever preferred_lft forever
- inet6 fe80::b27f:b9ff:fe3e:447f/64 scope link
- valid_lft forever preferred_lft forever
- 16: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
- link/ether b0:7f:b9:3e:44:80 brd ff:ff:ff:ff:ff:ff
- inet 192.168.1.150/24 brd 192.168.1.255 scope global eth0.2
- valid_lft forever preferred_lft forever
- inet6 fe80::b27f:b9ff:fe3e:4480/64 scope link
- valid_lft forever preferred_lft forever
- 19: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
- link/ether b0:7f:b9:3e:44:81 brd ff:ff:ff:ff:ff:ff
- inet6 fe80::b27f:b9ff:fe3e:4481/64 scope link
- valid_lft forever preferred_lft forever
- 20: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
- link/ether b0:7f:b9:3e:44:82 brd ff:ff:ff:ff:ff:ff
- inet6 fe80::b27f:b9ff:fe3e:4482/64 scope link
- valid_lft forever preferred_lft forever
- 21: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
- link/none
- inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
- valid_lft forever preferred_lft forever
- inet6 fe80::8025:7489:b647:b0e7/64 scope link stable-privacy
- valid_lft forever preferred_lft forever
- 23: TEST_WG_PIA: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
- link/none
- inet 10.25.152.131/32 brd 255.255.255.255 scope global TEST_WG_PIA
- valid_lft forever preferred_lft forever
- default via 192.168.1.1 dev eth0.2 table wan
- 10.0.0.0/24 dev br-lan table wan proto kernel scope link src 10.0.0.1
- 192.168.1.0/24 dev eth1.1 table wan proto kernel scope link src 192.168.1.1
- unreachable default table PIA_VPN
- 10.0.0.0/24 dev br-lan table PIA_VPN proto kernel scope link src 10.0.0.1
- 192.168.1.0/24 dev eth1.1 table PIA_VPN proto kernel scope link src 192.168.1.1
- default via 10.8.0.1 dev tun0 table VPN_SERVER
- 10.0.0.0/24 dev br-lan table VPN_SERVER proto kernel scope link src 10.0.0.1
- 192.168.1.0/24 dev eth1.1 table VPN_SERVER proto kernel scope link src 192.168.1.1
- default via 10.25.152.131 dev TEST_WG_PIA table TEST_WG_PIA
- 10.0.0.0/24 dev br-lan table TEST_WG_PIA proto kernel scope link src 10.0.0.1
- 192.168.1.0/24 dev eth1.1 table TEST_WG_PIA proto kernel scope link src 192.168.1.1
- default via 192.168.1.1 dev eth0.2 proto static src 192.168.1.150
- 10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
- 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
- 156.146.41.218 via 192.168.1.1 dev eth0.2 proto static
- 192.168.1.0/24 dev eth1.1 proto kernel scope link src 192.168.1.1
- 192.168.1.0/24 dev eth0.2 proto kernel scope link src 192.168.1.150
- broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1
- local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1
- broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.1
- broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
- local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
- broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
- local 10.25.152.131 dev TEST_WG_PIA table local proto kernel scope host src 10.25.152.131
- broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
- local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
- local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
- broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
- broadcast 192.168.1.0 dev eth1.1 table local proto kernel scope link src 192.168.1.1
- broadcast 192.168.1.0 dev eth0.2 table local proto kernel scope link src 192.168.1.150
- local 192.168.1.1 dev eth1.1 table local proto kernel scope host src 192.168.1.1
- local 192.168.1.150 dev eth0.2 table local proto kernel scope host src 192.168.1.150
- broadcast 192.168.1.255 dev eth1.1 table local proto kernel scope link src 192.168.1.1
- broadcast 192.168.1.255 dev eth0.2 table local proto kernel scope link src 192.168.1.150
- fd8a:6052:7773::/64 dev br-lan proto static metric 1024 pref medium
- unreachable fd8a:6052:7773::/48 dev lo proto static metric 2147483647 error -113 pref medium
- fe80::/64 dev eth1 proto kernel metric 256 pref medium
- fe80::/64 dev br-lan proto kernel metric 256 pref medium
- fe80::/64 dev eth0 proto kernel metric 256 pref medium
- fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
- fe80::/64 dev tun0 proto kernel metric 256 pref medium
- fe80::/64 dev wlan1 proto kernel metric 256 pref medium
- fe80::/64 dev wlan0 proto kernel metric 256 pref medium
- local ::1 dev lo table local proto kernel metric 0 pref medium
- anycast fd8a:6052:7773:: dev br-lan table local proto kernel metric 0 pref medium
- local fd8a:6052:7773::1 dev br-lan table local proto kernel metric 0 pref medium
- anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
- anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
- anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
- anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
- anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
- anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
- anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
- local fe80::8025:7489:b647:b0e7 dev tun0 table local proto kernel metric 0 pref medium
- local fe80::b27f:b9ff:fe3e:447f dev br-lan table local proto kernel metric 0 pref medium
- local fe80::b27f:b9ff:fe3e:447f dev eth1 table local proto kernel metric 0 pref medium
- local fe80::b27f:b9ff:fe3e:4480 dev eth0.2 table local proto kernel metric 0 pref medium
- local fe80::b27f:b9ff:fe3e:4480 dev eth0 table local proto kernel metric 0 pref medium
- local fe80::b27f:b9ff:fe3e:4481 dev wlan0 table local proto kernel metric 0 pref medium
- local fe80::b27f:b9ff:fe3e:4482 dev wlan1 table local proto kernel metric 0 pref medium
- ff00::/8 dev br-lan table local metric 256 pref medium
- ff00::/8 dev eth1 table local metric 256 pref medium
- ff00::/8 dev eth0 table local metric 256 pref medium
- ff00::/8 dev eth0.2 table local metric 256 pref medium
- ff00::/8 dev tun0 table local metric 256 pref medium
- ff00::/8 dev wlan1 table local metric 256 pref medium
- ff00::/8 dev wlan0 table local metric 256 pref medium
- ff00::/8 dev TEST_WG_PIA table local metric 256 pref medium
- 0: from all lookup local
- 32754: from all fwmark 0x40000/0xff0000 lookup TEST_WG_PIA
- 32755: from all fwmark 0x30000/0xff0000 lookup VPN_SERVER
- 32756: from all fwmark 0x20000/0xff0000 lookup PIA_VPN
- 32757: from all fwmark 0x10000/0xff0000 lookup wan
- 32766: from all lookup main
- 32767: from all lookup default
- # Generated by iptables-save v1.6.2 on Tue Mar 23 20:11:48 2021
- *nat
- :PREROUTING ACCEPT [10034:868447]
- :INPUT ACCEPT [798:63538]
- :OUTPUT ACCEPT [1921:130650]
- :POSTROUTING ACCEPT [128:8991]
- :MINIUPNPD - [0:0]
- :MINIUPNPD-POSTROUTING - [0:0]
- :postrouting_TEST_PIA_WG_rule - [0:0]
- :postrouting_lan_rule - [0:0]
- :postrouting_pia_rule - [0:0]
- :postrouting_rule - [0:0]
- :postrouting_wan_rule - [0:0]
- :prerouting_TEST_PIA_WG_rule - [0:0]
- :prerouting_lan_rule - [0:0]
- :prerouting_pia_rule - [0:0]
- :prerouting_rule - [0:0]
- :prerouting_wan_rule - [0:0]
- :zone_TEST_PIA_WG_postrouting - [0:0]
- :zone_TEST_PIA_WG_prerouting - [0:0]
- :zone_lan_postrouting - [0:0]
- :zone_lan_prerouting - [0:0]
- :zone_pia_postrouting - [0:0]
- :zone_pia_prerouting - [0:0]
- :zone_wan_postrouting - [0:0]
- :zone_wan_prerouting - [0:0]
- [0:0] -A PREROUTING -i TEST_WG_PIA -p tcp -m tcp --dport 51128 -j DNAT --to-destination 10.0.0.100:51128
- [0:0] -A PREROUTING -i TEST_WG_PIA -p udp -m udp --dport 51128 -j DNAT --to-destination 10.0.0.100:51128
- [36009:3240463] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
- [0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
- [35280:3181149] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
- [728:59270] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
- [0:0] -A PREROUTING -i tun1 -m comment --comment "!fw3" -j zone_pia_prerouting
- [0:0] -A PREROUTING -i TEST_WG_PIA -m comment --comment "!fw3" -j zone_TEST_PIA_WG_prerouting
- [39077:3350591] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
- [0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
- [10:3035] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
- [15495:1182759] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
- [0:0] -A POSTROUTING -o tun1 -m comment --comment "!fw3" -j zone_pia_postrouting
- [23226:2141225] -A POSTROUTING -o TEST_WG_PIA -m comment --comment "!fw3" -j zone_TEST_PIA_WG_postrouting
- [0:0] -A MINIUPNPD -p tcp -m tcp --dport 51128 -j DNAT --to-destination 10.0.0.100:51128
- [0:0] -A MINIUPNPD -p udp -m udp --dport 51128 -j DNAT --to-destination 10.0.0.100:51128
- [23226:2141225] -A zone_TEST_PIA_WG_postrouting -m comment --comment "!fw3: Custom TEST_PIA_WG postrouting rule chain" -j postrouting_TEST_PIA_WG_rule
- [23226:2141225] -A zone_TEST_PIA_WG_postrouting -m comment --comment "!fw3" -j MASQUERADE
- [0:0] -A zone_TEST_PIA_WG_prerouting -m comment --comment "!fw3: Custom TEST_PIA_WG prerouting rule chain" -j prerouting_TEST_PIA_WG_rule
- [10:3035] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
- [0:0] -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.100/32 -p tcp -m tcp --dport 20:21 -m comment --comment "!fw3: Ftp-Rule1 (reflection)" -j SNAT --to-source 10.0.0.1
- [0:0] -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.100/32 -p tcp -m tcp --dport 6900:7000 -m comment --comment "!fw3: Ftp-Rule2 (reflection)" -j SNAT --to-source 10.0.0.1
- [35280:3181149] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
- [0:0] -A zone_lan_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: ubus:simple-adblock[main] redirect 0" -j REDIRECT --to-ports 53
- [2116:140041] -A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: ubus:simple-adblock[main] redirect 0" -j REDIRECT --to-ports 53
- [0:0] -A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.1.150/32 -p tcp -m tcp --dport 20:21 -m comment --comment "!fw3: Ftp-Rule1 (reflection)" -j DNAT --to-destination 10.0.0.100:20-21
- [0:0] -A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.1.150/32 -p tcp -m tcp --dport 6900:7000 -m comment --comment "!fw3: Ftp-Rule2 (reflection)" -j DNAT --to-destination 10.0.0.100:6900-7000
- [0:0] -A zone_pia_postrouting -m comment --comment "!fw3: Custom pia postrouting rule chain" -j postrouting_pia_rule
- [0:0] -A zone_pia_postrouting -m comment --comment "!fw3" -j MASQUERADE
- [0:0] -A zone_pia_prerouting -m comment --comment "!fw3: Custom pia prerouting rule chain" -j prerouting_pia_rule
- [15495:1182759] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
- [15493:1182679] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
- [15495:1182759] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
- [728:59270] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
- [0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 20:21 -m comment --comment "!fw3: Ftp-Rule1" -j DNAT --to-destination 10.0.0.100:20-21
- [0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 6900:7000 -m comment --comment "!fw3: Ftp-Rule2" -j DNAT --to-destination 10.0.0.100:6900-7000
- [726:59170] -A zone_wan_prerouting -j MINIUPNPD
- COMMIT
- # Completed on Tue Mar 23 20:11:48 2021
- # Generated by iptables-save v1.6.2 on Tue Mar 23 20:11:48 2021
- *mangle
- :PREROUTING ACCEPT [3601689:2587321999]
- :INPUT ACCEPT [1055584:166748171]
- :FORWARD ACCEPT [2545292:2420279840]
- :OUTPUT ACCEPT [2792625:2353232833]
- :POSTROUTING ACCEPT [5337851:4773509673]
- :VPR_MARK0x010000 - [0:0]
- :VPR_MARK0x020000 - [0:0]
- :VPR_MARK0x030000 - [0:0]
- :VPR_MARK0x040000 - [0:0]
- :VPR_PREROUTING - [0:0]
- [3601866:2587358446] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
- [4824:254528] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [1979:102812] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [0:0] -A FORWARD -o tun1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone pia MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [0:0] -A FORWARD -i tun1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone pia MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [15771:946260] -A FORWARD -o TEST_WG_PIA -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone TEST_PIA_WG MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [10347:615900] -A FORWARD -i TEST_WG_PIA -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone TEST_PIA_WG MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [0:0] -A VPR_MARK0x010000 -j MARK --set-xmark 0x10000/0xff0000
- [0:0] -A VPR_MARK0x010000 -j RETURN
- [0:0] -A VPR_MARK0x020000 -j MARK --set-xmark 0x20000/0xff0000
- [0:0] -A VPR_MARK0x020000 -j RETURN
- [0:0] -A VPR_MARK0x030000 -j MARK --set-xmark 0x30000/0xff0000
- [0:0] -A VPR_MARK0x030000 -j RETURN
- [1382987:2126917456] -A VPR_MARK0x040000 -j MARK --set-xmark 0x40000/0xff0000
- [1382987:2126917456] -A VPR_MARK0x040000 -j RETURN
- [0:0] -A VPR_PREROUTING -m set --match-set TEST_WG_PIA dst -g VPR_MARK0x040000
- [0:0] -A VPR_PREROUTING -m set --match-set VPN_SERVER dst -g VPR_MARK0x030000
- [0:0] -A VPR_PREROUTING -m set --match-set PIA_VPN dst -g VPR_MARK0x020000
- [0:0] -A VPR_PREROUTING -m set --match-set wan dst -g VPR_MARK0x010000
- [0:0] -A VPR_PREROUTING -d 10.8.0.0/24 -m comment --comment Ignore_Local_Requests_by_Destination -j RETURN
- [0:0] -A VPR_PREROUTING -s 10.0.0.100/32 -p tcp -m multiport --sports 20:21 -m comment --comment Ftp-Rule1 -g VPR_MARK0x010000
- [0:0] -A VPR_PREROUTING -s 10.0.0.100/32 -p udp -m multiport --sports 20:21 -m comment --comment Ftp-Rule1 -g VPR_MARK0x010000
- [0:0] -A VPR_PREROUTING -s 10.0.0.100/32 -p tcp -m multiport --sports 6900:7000 -m comment --comment Ftp-Rule2 -g VPR_MARK0x010000
- [0:0] -A VPR_PREROUTING -s 10.0.0.100/32 -p udp -m multiport --sports 6900:7000 -m comment --comment Ftp-Rule2 -g VPR_MARK0x010000
- [200499:441116785] -A VPR_PREROUTING -s 10.0.0.100/32 -p tcp -m comment --comment Nas -g VPR_MARK0x040000
- [1182488:1685800671] -A VPR_PREROUTING -s 10.0.0.100/32 -p udp -m comment --comment Nas -g VPR_MARK0x040000
- COMMIT
- # Completed on Tue Mar 23 20:11:48 2021
- # Generated by iptables-save v1.6.2 on Tue Mar 23 20:11:48 2021
- *filter
- :INPUT ACCEPT [1:44]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :MINIUPNPD - [0:0]
- :forwarding_TEST_PIA_WG_rule - [0:0]
- :forwarding_lan_rule - [0:0]
- :forwarding_pia_rule - [0:0]
- :forwarding_rule - [0:0]
- :forwarding_wan_rule - [0:0]
- :input_TEST_PIA_WG_rule - [0:0]
- :input_lan_rule - [0:0]
- :input_pia_rule - [0:0]
- :input_rule - [0:0]
- :input_wan_rule - [0:0]
- :output_TEST_PIA_WG_rule - [0:0]
- :output_lan_rule - [0:0]
- :output_pia_rule - [0:0]
- :output_rule - [0:0]
- :output_wan_rule - [0:0]
- :reject - [0:0]
- :syn_flood - [0:0]
- :zone_TEST_PIA_WG_dest_ACCEPT - [0:0]
- :zone_TEST_PIA_WG_dest_REJECT - [0:0]
- :zone_TEST_PIA_WG_forward - [0:0]
- :zone_TEST_PIA_WG_input - [0:0]
- :zone_TEST_PIA_WG_output - [0:0]
- :zone_TEST_PIA_WG_src_REJECT - [0:0]
- :zone_lan_dest_ACCEPT - [0:0]
- :zone_lan_forward - [0:0]
- :zone_lan_input - [0:0]
- :zone_lan_output - [0:0]
- :zone_lan_src_ACCEPT - [0:0]
- :zone_pia_dest_ACCEPT - [0:0]
- :zone_pia_dest_REJECT - [0:0]
- :zone_pia_forward - [0:0]
- :zone_pia_input - [0:0]
- :zone_pia_output - [0:0]
- :zone_pia_src_REJECT - [0:0]
- :zone_wan_dest_ACCEPT - [0:0]
- :zone_wan_dest_REJECT - [0:0]
- :zone_wan_forward - [0:0]
- :zone_wan_input - [0:0]
- :zone_wan_output - [0:0]
- :zone_wan_src_REJECT - [0:0]
- [8118:670506] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
- [1047626:166104897] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
- [1041285:165424312] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [668:34452] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
- [0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
- [5574:618651] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
- [757:61422] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
- [0:0] -A INPUT -i tun1 -m comment --comment "!fw3" -j zone_pia_input
- [9:468] -A INPUT -i TEST_WG_PIA -m comment --comment "!fw3" -j zone_TEST_PIA_WG_input
- [0:0] -A FORWARD -d 10.0.0.100/32 -i TEST_WG_PIA -p tcp -m tcp --dport 51128 -j ACCEPT
- [795859:44717344] -A FORWARD -d 10.0.0.100/32 -i TEST_WG_PIA -p udp -m udp --dport 51128 -j ACCEPT
- [1749570:2375596283] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
- [1703191:2371107831] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
- [46379:4488452] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
- [0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
- [0:0] -A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_pia_forward
- [0:0] -A FORWARD -i TEST_WG_PIA -m comment --comment "!fw3" -j zone_TEST_PIA_WG_forward
- [8118:670506] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
- [2784661:2352582989] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
- [2766832:2349931837] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
- [3545:1690911] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
- [14038:939937] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
- [0:0] -A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_pia_output
- [246:20304] -A OUTPUT -o TEST_WG_PIA -m comment --comment "!fw3" -j zone_TEST_PIA_WG_output
- [0:0] -A MINIUPNPD -d 10.0.0.100/32 -p tcp -m tcp --dport 51128 -j ACCEPT
- [0:0] -A MINIUPNPD -d 10.0.0.100/32 -p udp -m udp --dport 51128 -j ACCEPT
- [527:49630] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
- [236:12166] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
- [668:34452] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
- [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
- [18:936] -A zone_TEST_PIA_WG_dest_ACCEPT -o TEST_WG_PIA -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [34579:3269970] -A zone_TEST_PIA_WG_dest_ACCEPT -o TEST_WG_PIA -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_TEST_PIA_WG_dest_REJECT -o TEST_WG_PIA -m comment --comment "!fw3" -j reject
- [0:0] -A zone_TEST_PIA_WG_forward -m comment --comment "!fw3: Custom TEST_PIA_WG forwarding rule chain" -j forwarding_TEST_PIA_WG_rule
- [0:0] -A zone_TEST_PIA_WG_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_TEST_PIA_WG_forward -m comment --comment "!fw3" -j zone_TEST_PIA_WG_dest_REJECT
- [9:468] -A zone_TEST_PIA_WG_input -m comment --comment "!fw3: Custom TEST_PIA_WG input rule chain" -j input_TEST_PIA_WG_rule
- [0:0] -A zone_TEST_PIA_WG_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [9:468] -A zone_TEST_PIA_WG_input -m comment --comment "!fw3" -j zone_TEST_PIA_WG_src_REJECT
- [246:20304] -A zone_TEST_PIA_WG_output -m comment --comment "!fw3: Custom TEST_PIA_WG output rule chain" -j output_TEST_PIA_WG_rule
- [246:20304] -A zone_TEST_PIA_WG_output -m comment --comment "!fw3" -j zone_TEST_PIA_WG_dest_ACCEPT
- [9:468] -A zone_TEST_PIA_WG_src_REJECT -i TEST_WG_PIA -m comment --comment "!fw3" -j reject
- [0:0] -A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
- [3545:1690911] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
- [46379:4488452] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
- [0:0] -A zone_lan_forward -p tcp -m tcp --dport 853 -m comment --comment "!fw3: ubus:simple-adblock[main] rule 1" -j reject
- [0:0] -A zone_lan_forward -p udp -m udp --dport 853 -m comment --comment "!fw3: ubus:simple-adblock[main] rule 1" -j reject
- [46379:4488452] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
- [34351:3250602] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to pia forwarding policy" -j zone_pia_dest_ACCEPT
- [34351:3250602] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to TEST_PIA_WG forwarding policy" -j zone_TEST_PIA_WG_dest_ACCEPT
- [0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- [5574:618651] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
- [154:9599] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [5420:609052] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
- [3545:1690911] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
- [3545:1690911] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [5420:609052] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_pia_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [0:0] -A zone_pia_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_pia_dest_REJECT -o tun1 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_pia_forward -m comment --comment "!fw3: Custom pia forwarding rule chain" -j forwarding_pia_rule
- [0:0] -A zone_pia_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_pia_forward -m comment --comment "!fw3" -j zone_pia_dest_REJECT
- [0:0] -A zone_pia_input -m comment --comment "!fw3: Custom pia input rule chain" -j input_pia_rule
- [0:0] -A zone_pia_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [0:0] -A zone_pia_input -m comment --comment "!fw3" -j zone_pia_src_REJECT
- [0:0] -A zone_pia_output -m comment --comment "!fw3: Custom pia output rule chain" -j output_pia_rule
- [0:0] -A zone_pia_output -m comment --comment "!fw3" -j zone_pia_dest_ACCEPT
- [0:0] -A zone_pia_src_REJECT -i tun1 -m comment --comment "!fw3" -j reject
- [56:2420] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [26010:2175367] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
- [0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_wan_forward -j MINIUPNPD
- [0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
- [757:61422] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
- [0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
- [2:66] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
- [0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
- [1:28] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
- [0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [754:61328] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
- [14038:939937] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
- [14038:939937] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
- [754:61328] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
- COMMIT
- # Completed on Tue Mar 23 20:11:48 2021
- root@OpenWrt:~#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement