Advertisement
Guest User

Untitled

a guest
Mar 23rd, 2021
45
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 34.27 KB | None | 0 0
  1. root@OpenWrt:~# ubus call system board; uci show network; uci show firewall; \
  2. > ip address show; ip route show table all; ip rule show; iptables-save -c
  3. {
  4. "kernel": "4.14.131",
  5. "hostname": "OpenWrt",
  6. "system": "ARMv7 Processor rev 0 (v7l)",
  7. "model": "Netgear Nighthawk X4S R7800",
  8. "board_name": "netgear,r7800",
  9. "release": {
  10. "distribution": "OpenWrt",
  11. "version": "18.06.4",
  12. "revision": "r7808-ef686b7292",
  13. "target": "ipq806x\/generic",
  14. "description": "OpenWrt 18.06.4 r7808-ef686b7292"
  15. }
  16. }
  17. network.loopback=interface
  18. network.loopback.ifname='lo'
  19. network.loopback.proto='static'
  20. network.loopback.ipaddr='127.0.0.1'
  21. network.loopback.netmask='255.0.0.0'
  22. network.globals=globals
  23. network.globals.ula_prefix='fd8a:6052:7773::/48'
  24. network.lan=interface
  25. network.lan.type='bridge'
  26. network.lan.ifname='eth1.1'
  27. network.lan.proto='static'
  28. network.lan.ipaddr='10.0.0.1'
  29. network.lan.netmask='255.255.255.0'
  30. network.lan.ip6assign='60'
  31. network.wan=interface
  32. network.wan.ifname='eth0.2'
  33. network.wan.proto='dhcp'
  34. network.wan.peerdns='0'
  35. network.wan.dns='1.1.1.1 1.0.0.1'
  36. network.@switch[0]=switch
  37. network.@switch[0].name='switch0'
  38. network.@switch[0].reset='1'
  39. network.@switch[0].enable_vlan='1'
  40. network.@switch_vlan[0]=switch_vlan
  41. network.@switch_vlan[0].device='switch0'
  42. network.@switch_vlan[0].vlan='1'
  43. network.@switch_vlan[0].ports='1 2 3 4 6t'
  44. network.@switch_vlan[1]=switch_vlan
  45. network.@switch_vlan[1].device='switch0'
  46. network.@switch_vlan[1].vlan='2'
  47. network.@switch_vlan[1].ports='5 0t'
  48. network.WAN6=interface
  49. network.WAN6.proto='dhcpv6'
  50. network.WAN6.ifname='eth0.2'
  51. network.WAN6.reqaddress='try'
  52. network.WAN6.reqprefix='auto'
  53. network.WAN6.auto='0'
  54. network.PIA_VPN=interface
  55. network.PIA_VPN.proto='none'
  56. network.PIA_VPN.ifname='tun1'
  57. network.PIA_VPN.auto='1'
  58. network.VPN_SERVER=interface
  59. network.VPN_SERVER.proto='none'
  60. network.VPN_SERVER.ifname='tun0'
  61. network.VPN_SERVER.auto='1'
  62. network.TEST_WG_PIA=interface
  63. network.TEST_WG_PIA.proto='wireguard'
  64. network.TEST_WG_PIA.private_key='='**************''
  65. network.TEST_WG_PIA.addresses='='**************''
  66. network.@wireguard_TEST_WG_PIA[0]=wireguard_TEST_WG_PIA
  67. network.@wireguard_TEST_WG_PIA[0].endpoint_port='1337'
  68. network.@wireguard_TEST_WG_PIA[0].persistent_keepalive='25'
  69. network.@wireguard_TEST_WG_PIA[0].allowed_ips='0.0.0.0/0' '::/0'
  70. network.@wireguard_TEST_WG_PIA[0].description='PIA_italy'
  71. network.@wireguard_TEST_WG_PIA[0].public_key='**************'
  72. network.@wireguard_TEST_WG_PIA[0].endpoint_host='='**************''
  73. firewall.@defaults[0]=defaults
  74. firewall.@defaults[0].syn_flood='1'
  75. firewall.@defaults[0].input='ACCEPT'
  76. firewall.@defaults[0].output='ACCEPT'
  77. firewall.@defaults[0].forward='ACCEPT'
  78. firewall.@zone[0]=zone
  79. firewall.@zone[0].name='lan'
  80. firewall.@zone[0].input='ACCEPT'
  81. firewall.@zone[0].output='ACCEPT'
  82. firewall.@zone[0].forward='ACCEPT'
  83. firewall.@zone[0].device='tun0'
  84. firewall.@zone[0].network='lan'
  85. firewall.@zone[1]=zone
  86. firewall.@zone[1].name='wan'
  87. firewall.@zone[1].input='REJECT'
  88. firewall.@zone[1].output='ACCEPT'
  89. firewall.@zone[1].forward='REJECT'
  90. firewall.@zone[1].masq='1'
  91. firewall.@zone[1].mtu_fix='1'
  92. firewall.@zone[1].network='WAN6 wan'
  93. firewall.@rule[0]=rule
  94. firewall.@rule[0].name='Allow-DHCP-Renew'
  95. firewall.@rule[0].src='wan'
  96. firewall.@rule[0].proto='udp'
  97. firewall.@rule[0].dest_port='68'
  98. firewall.@rule[0].target='ACCEPT'
  99. firewall.@rule[0].family='ipv4'
  100. firewall.@rule[1]=rule
  101. firewall.@rule[1].name='Allow-Ping'
  102. firewall.@rule[1].src='wan'
  103. firewall.@rule[1].proto='icmp'
  104. firewall.@rule[1].icmp_type='echo-request'
  105. firewall.@rule[1].family='ipv4'
  106. firewall.@rule[1].target='ACCEPT'
  107. firewall.@rule[2]=rule
  108. firewall.@rule[2].name='Allow-IGMP'
  109. firewall.@rule[2].src='wan'
  110. firewall.@rule[2].proto='igmp'
  111. firewall.@rule[2].family='ipv4'
  112. firewall.@rule[2].target='ACCEPT'
  113. firewall.@rule[3]=rule
  114. firewall.@rule[3].name='Allow-DHCPv6'
  115. firewall.@rule[3].src='wan'
  116. firewall.@rule[3].proto='udp'
  117. firewall.@rule[3].src_ip='fc00::/6'
  118. firewall.@rule[3].dest_ip='fc00::/6'
  119. firewall.@rule[3].dest_port='546'
  120. firewall.@rule[3].family='ipv6'
  121. firewall.@rule[3].target='ACCEPT'
  122. firewall.@rule[4]=rule
  123. firewall.@rule[4].name='Allow-MLD'
  124. firewall.@rule[4].src='wan'
  125. firewall.@rule[4].proto='icmp'
  126. firewall.@rule[4].src_ip='fe80::/10'
  127. firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
  128. firewall.@rule[4].family='ipv6'
  129. firewall.@rule[4].target='ACCEPT'
  130. firewall.@rule[5]=rule
  131. firewall.@rule[5].name='Allow-ICMPv6-Input'
  132. firewall.@rule[5].src='wan'
  133. firewall.@rule[5].proto='icmp'
  134. firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
  135. firewall.@rule[5].limit='1000/sec'
  136. firewall.@rule[5].family='ipv6'
  137. firewall.@rule[5].target='ACCEPT'
  138. firewall.@rule[6]=rule
  139. firewall.@rule[6].name='Allow-ICMPv6-Forward'
  140. firewall.@rule[6].src='wan'
  141. firewall.@rule[6].dest='*'
  142. firewall.@rule[6].proto='icmp'
  143. firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
  144. firewall.@rule[6].limit='1000/sec'
  145. firewall.@rule[6].family='ipv6'
  146. firewall.@rule[6].target='ACCEPT'
  147. firewall.@rule[7]=rule
  148. firewall.@rule[7].name='Allow-IPSec-ESP'
  149. firewall.@rule[7].src='wan'
  150. firewall.@rule[7].dest='lan'
  151. firewall.@rule[7].proto='esp'
  152. firewall.@rule[7].target='ACCEPT'
  153. firewall.@rule[8]=rule
  154. firewall.@rule[8].name='Allow-ISAKMP'
  155. firewall.@rule[8].src='wan'
  156. firewall.@rule[8].dest='lan'
  157. firewall.@rule[8].dest_port='500'
  158. firewall.@rule[8].proto='udp'
  159. firewall.@rule[8].target='ACCEPT'
  160. firewall.@include[0]=include
  161. firewall.@include[0].path='/etc/firewall.user'
  162. firewall.miniupnpd=include
  163. firewall.miniupnpd.type='script'
  164. firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
  165. firewall.miniupnpd.family='any'
  166. firewall.miniupnpd.reload='1'
  167. firewall.lan_wan=forwarding
  168. firewall.lan_wan.dest='wan'
  169. firewall.lan_wan.src='lan'
  170. firewall.@zone[2]=zone
  171. firewall.@zone[2].output='ACCEPT'
  172. firewall.@zone[2].name='pia'
  173. firewall.@zone[2].masq='1'
  174. firewall.@zone[2].mtu_fix='1'
  175. firewall.@zone[2].network='PIA_VPN'
  176. firewall.@zone[2].input='REJECT'
  177. firewall.@zone[2].forward='REJECT'
  178. firewall.ovpn=rule
  179. firewall.ovpn.name='Allow-OpenVPN'
  180. firewall.ovpn.src='wan'
  181. firewall.ovpn.dest_port='1194'
  182. firewall.ovpn.proto='udp'
  183. firewall.ovpn.target='ACCEPT'
  184. firewall.@redirect[0]=redirect
  185. firewall.@redirect[0].target='DNAT'
  186. firewall.@redirect[0].src='wan'
  187. firewall.@redirect[0].dest_ip='10.0.0.100'
  188. firewall.@redirect[0].dest='lan'
  189. firewall.@redirect[0].name='Ftp-Rule1'
  190. firewall.@redirect[0].src_dport='20-21'
  191. firewall.@redirect[0].dest_port='20-21'
  192. firewall.@redirect[0].proto='tcp'
  193. firewall.@redirect[1]=redirect
  194. firewall.@redirect[1].target='DNAT'
  195. firewall.@redirect[1].src='wan'
  196. firewall.@redirect[1].dest='lan'
  197. firewall.@redirect[1].dest_ip='10.0.0.100'
  198. firewall.@redirect[1].name='Ftp-Rule2'
  199. firewall.@redirect[1].src_dport='6900-7000'
  200. firewall.@redirect[1].dest_port='6900-7000'
  201. firewall.@redirect[1].proto='tcp'
  202. firewall.@zone[3]=zone
  203. firewall.@zone[3].name='TEST_PIA_WG'
  204. firewall.@zone[3].output='ACCEPT'
  205. firewall.@zone[3].network='TEST_WG_PIA'
  206. firewall.@zone[3].masq='1'
  207. firewall.@zone[3].mtu_fix='1'
  208. firewall.@zone[3].input='REJECT'
  209. firewall.@zone[3].forward='REJECT'
  210. firewall.@forwarding[1]=forwarding
  211. firewall.@forwarding[1].dest='pia'
  212. firewall.@forwarding[1].src='lan'
  213. firewall.@forwarding[2]=forwarding
  214. firewall.@forwarding[2].dest='TEST_PIA_WG'
  215. firewall.@forwarding[2].src='lan'
  216. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  217. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  218. inet 127.0.0.1/8 scope host lo
  219. valid_lft forever preferred_lft forever
  220. inet6 ::1/128 scope host
  221. valid_lft forever preferred_lft forever
  222. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
  223. link/ether b0:7f:b9:3e:44:80 brd ff:ff:ff:ff:ff:ff
  224. inet6 fe80::b27f:b9ff:fe3e:4480/64 scope link
  225. valid_lft forever preferred_lft forever
  226. 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
  227. link/ether b0:7f:b9:3e:44:7f brd ff:ff:ff:ff:ff:ff
  228. inet6 fe80::b27f:b9ff:fe3e:447f/64 scope link
  229. valid_lft forever preferred_lft forever
  230. 4: eth1.1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
  231. link/ether b0:7f:b9:3e:44:7f brd ff:ff:ff:ff:ff:ff
  232. inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1.1
  233. valid_lft forever preferred_lft forever
  234. 5: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
  235. link/ether 36:68:5c:0e:c2:dd brd ff:ff:ff:ff:ff:ff
  236. 6: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
  237. link/ether da:be:8c:b6:51:e6 brd ff:ff:ff:ff:ff:ff
  238. 7: teql0: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
  239. link/void
  240. 15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  241. link/ether b0:7f:b9:3e:44:7f brd ff:ff:ff:ff:ff:ff
  242. inet 10.0.0.1/24 brd 10.0.0.255 scope global br-lan
  243. valid_lft forever preferred_lft forever
  244. inet6 fd8a:6052:7773::1/60 scope global noprefixroute
  245. valid_lft forever preferred_lft forever
  246. inet6 fe80::b27f:b9ff:fe3e:447f/64 scope link
  247. valid_lft forever preferred_lft forever
  248. 16: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  249. link/ether b0:7f:b9:3e:44:80 brd ff:ff:ff:ff:ff:ff
  250. inet 192.168.1.150/24 brd 192.168.1.255 scope global eth0.2
  251. valid_lft forever preferred_lft forever
  252. inet6 fe80::b27f:b9ff:fe3e:4480/64 scope link
  253. valid_lft forever preferred_lft forever
  254. 19: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
  255. link/ether b0:7f:b9:3e:44:81 brd ff:ff:ff:ff:ff:ff
  256. inet6 fe80::b27f:b9ff:fe3e:4481/64 scope link
  257. valid_lft forever preferred_lft forever
  258. 20: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
  259. link/ether b0:7f:b9:3e:44:82 brd ff:ff:ff:ff:ff:ff
  260. inet6 fe80::b27f:b9ff:fe3e:4482/64 scope link
  261. valid_lft forever preferred_lft forever
  262. 21: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
  263. link/none
  264. inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
  265. valid_lft forever preferred_lft forever
  266. inet6 fe80::8025:7489:b647:b0e7/64 scope link stable-privacy
  267. valid_lft forever preferred_lft forever
  268. 23: TEST_WG_PIA: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
  269. link/none
  270. inet 10.25.152.131/32 brd 255.255.255.255 scope global TEST_WG_PIA
  271. valid_lft forever preferred_lft forever
  272. default via 192.168.1.1 dev eth0.2 table wan
  273. 10.0.0.0/24 dev br-lan table wan proto kernel scope link src 10.0.0.1
  274. 192.168.1.0/24 dev eth1.1 table wan proto kernel scope link src 192.168.1.1
  275. unreachable default table PIA_VPN
  276. 10.0.0.0/24 dev br-lan table PIA_VPN proto kernel scope link src 10.0.0.1
  277. 192.168.1.0/24 dev eth1.1 table PIA_VPN proto kernel scope link src 192.168.1.1
  278. default via 10.8.0.1 dev tun0 table VPN_SERVER
  279. 10.0.0.0/24 dev br-lan table VPN_SERVER proto kernel scope link src 10.0.0.1
  280. 192.168.1.0/24 dev eth1.1 table VPN_SERVER proto kernel scope link src 192.168.1.1
  281. default via 10.25.152.131 dev TEST_WG_PIA table TEST_WG_PIA
  282. 10.0.0.0/24 dev br-lan table TEST_WG_PIA proto kernel scope link src 10.0.0.1
  283. 192.168.1.0/24 dev eth1.1 table TEST_WG_PIA proto kernel scope link src 192.168.1.1
  284. default via 192.168.1.1 dev eth0.2 proto static src 192.168.1.150
  285. 10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
  286. 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
  287. 156.146.41.218 via 192.168.1.1 dev eth0.2 proto static
  288. 192.168.1.0/24 dev eth1.1 proto kernel scope link src 192.168.1.1
  289. 192.168.1.0/24 dev eth0.2 proto kernel scope link src 192.168.1.150
  290. broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1
  291. local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1
  292. broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.1
  293. broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
  294. local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
  295. broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
  296. local 10.25.152.131 dev TEST_WG_PIA table local proto kernel scope host src 10.25.152.131
  297. broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
  298. local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
  299. local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
  300. broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
  301. broadcast 192.168.1.0 dev eth1.1 table local proto kernel scope link src 192.168.1.1
  302. broadcast 192.168.1.0 dev eth0.2 table local proto kernel scope link src 192.168.1.150
  303. local 192.168.1.1 dev eth1.1 table local proto kernel scope host src 192.168.1.1
  304. local 192.168.1.150 dev eth0.2 table local proto kernel scope host src 192.168.1.150
  305. broadcast 192.168.1.255 dev eth1.1 table local proto kernel scope link src 192.168.1.1
  306. broadcast 192.168.1.255 dev eth0.2 table local proto kernel scope link src 192.168.1.150
  307. fd8a:6052:7773::/64 dev br-lan proto static metric 1024 pref medium
  308. unreachable fd8a:6052:7773::/48 dev lo proto static metric 2147483647 error -113 pref medium
  309. fe80::/64 dev eth1 proto kernel metric 256 pref medium
  310. fe80::/64 dev br-lan proto kernel metric 256 pref medium
  311. fe80::/64 dev eth0 proto kernel metric 256 pref medium
  312. fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
  313. fe80::/64 dev tun0 proto kernel metric 256 pref medium
  314. fe80::/64 dev wlan1 proto kernel metric 256 pref medium
  315. fe80::/64 dev wlan0 proto kernel metric 256 pref medium
  316. local ::1 dev lo table local proto kernel metric 0 pref medium
  317. anycast fd8a:6052:7773:: dev br-lan table local proto kernel metric 0 pref medium
  318. local fd8a:6052:7773::1 dev br-lan table local proto kernel metric 0 pref medium
  319. anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
  320. anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
  321. anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
  322. anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
  323. anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
  324. anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
  325. anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
  326. local fe80::8025:7489:b647:b0e7 dev tun0 table local proto kernel metric 0 pref medium
  327. local fe80::b27f:b9ff:fe3e:447f dev br-lan table local proto kernel metric 0 pref medium
  328. local fe80::b27f:b9ff:fe3e:447f dev eth1 table local proto kernel metric 0 pref medium
  329. local fe80::b27f:b9ff:fe3e:4480 dev eth0.2 table local proto kernel metric 0 pref medium
  330. local fe80::b27f:b9ff:fe3e:4480 dev eth0 table local proto kernel metric 0 pref medium
  331. local fe80::b27f:b9ff:fe3e:4481 dev wlan0 table local proto kernel metric 0 pref medium
  332. local fe80::b27f:b9ff:fe3e:4482 dev wlan1 table local proto kernel metric 0 pref medium
  333. ff00::/8 dev br-lan table local metric 256 pref medium
  334. ff00::/8 dev eth1 table local metric 256 pref medium
  335. ff00::/8 dev eth0 table local metric 256 pref medium
  336. ff00::/8 dev eth0.2 table local metric 256 pref medium
  337. ff00::/8 dev tun0 table local metric 256 pref medium
  338. ff00::/8 dev wlan1 table local metric 256 pref medium
  339. ff00::/8 dev wlan0 table local metric 256 pref medium
  340. ff00::/8 dev TEST_WG_PIA table local metric 256 pref medium
  341. 0: from all lookup local
  342. 32754: from all fwmark 0x40000/0xff0000 lookup TEST_WG_PIA
  343. 32755: from all fwmark 0x30000/0xff0000 lookup VPN_SERVER
  344. 32756: from all fwmark 0x20000/0xff0000 lookup PIA_VPN
  345. 32757: from all fwmark 0x10000/0xff0000 lookup wan
  346. 32766: from all lookup main
  347. 32767: from all lookup default
  348. # Generated by iptables-save v1.6.2 on Tue Mar 23 20:11:48 2021
  349. *nat
  350. :PREROUTING ACCEPT [10034:868447]
  351. :INPUT ACCEPT [798:63538]
  352. :OUTPUT ACCEPT [1921:130650]
  353. :POSTROUTING ACCEPT [128:8991]
  354. :MINIUPNPD - [0:0]
  355. :MINIUPNPD-POSTROUTING - [0:0]
  356. :postrouting_TEST_PIA_WG_rule - [0:0]
  357. :postrouting_lan_rule - [0:0]
  358. :postrouting_pia_rule - [0:0]
  359. :postrouting_rule - [0:0]
  360. :postrouting_wan_rule - [0:0]
  361. :prerouting_TEST_PIA_WG_rule - [0:0]
  362. :prerouting_lan_rule - [0:0]
  363. :prerouting_pia_rule - [0:0]
  364. :prerouting_rule - [0:0]
  365. :prerouting_wan_rule - [0:0]
  366. :zone_TEST_PIA_WG_postrouting - [0:0]
  367. :zone_TEST_PIA_WG_prerouting - [0:0]
  368. :zone_lan_postrouting - [0:0]
  369. :zone_lan_prerouting - [0:0]
  370. :zone_pia_postrouting - [0:0]
  371. :zone_pia_prerouting - [0:0]
  372. :zone_wan_postrouting - [0:0]
  373. :zone_wan_prerouting - [0:0]
  374. [0:0] -A PREROUTING -i TEST_WG_PIA -p tcp -m tcp --dport 51128 -j DNAT --to-destination 10.0.0.100:51128
  375. [0:0] -A PREROUTING -i TEST_WG_PIA -p udp -m udp --dport 51128 -j DNAT --to-destination 10.0.0.100:51128
  376. [36009:3240463] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
  377. [0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
  378. [35280:3181149] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
  379. [728:59270] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
  380. [0:0] -A PREROUTING -i tun1 -m comment --comment "!fw3" -j zone_pia_prerouting
  381. [0:0] -A PREROUTING -i TEST_WG_PIA -m comment --comment "!fw3" -j zone_TEST_PIA_WG_prerouting
  382. [39077:3350591] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
  383. [0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
  384. [10:3035] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
  385. [15495:1182759] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
  386. [0:0] -A POSTROUTING -o tun1 -m comment --comment "!fw3" -j zone_pia_postrouting
  387. [23226:2141225] -A POSTROUTING -o TEST_WG_PIA -m comment --comment "!fw3" -j zone_TEST_PIA_WG_postrouting
  388. [0:0] -A MINIUPNPD -p tcp -m tcp --dport 51128 -j DNAT --to-destination 10.0.0.100:51128
  389. [0:0] -A MINIUPNPD -p udp -m udp --dport 51128 -j DNAT --to-destination 10.0.0.100:51128
  390. [23226:2141225] -A zone_TEST_PIA_WG_postrouting -m comment --comment "!fw3: Custom TEST_PIA_WG postrouting rule chain" -j postrouting_TEST_PIA_WG_rule
  391. [23226:2141225] -A zone_TEST_PIA_WG_postrouting -m comment --comment "!fw3" -j MASQUERADE
  392. [0:0] -A zone_TEST_PIA_WG_prerouting -m comment --comment "!fw3: Custom TEST_PIA_WG prerouting rule chain" -j prerouting_TEST_PIA_WG_rule
  393. [10:3035] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
  394. [0:0] -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.100/32 -p tcp -m tcp --dport 20:21 -m comment --comment "!fw3: Ftp-Rule1 (reflection)" -j SNAT --to-source 10.0.0.1
  395. [0:0] -A zone_lan_postrouting -s 10.0.0.0/24 -d 10.0.0.100/32 -p tcp -m tcp --dport 6900:7000 -m comment --comment "!fw3: Ftp-Rule2 (reflection)" -j SNAT --to-source 10.0.0.1
  396. [35280:3181149] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
  397. [0:0] -A zone_lan_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: ubus:simple-adblock[main] redirect 0" -j REDIRECT --to-ports 53
  398. [2116:140041] -A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: ubus:simple-adblock[main] redirect 0" -j REDIRECT --to-ports 53
  399. [0:0] -A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.1.150/32 -p tcp -m tcp --dport 20:21 -m comment --comment "!fw3: Ftp-Rule1 (reflection)" -j DNAT --to-destination 10.0.0.100:20-21
  400. [0:0] -A zone_lan_prerouting -s 10.0.0.0/24 -d 192.168.1.150/32 -p tcp -m tcp --dport 6900:7000 -m comment --comment "!fw3: Ftp-Rule2 (reflection)" -j DNAT --to-destination 10.0.0.100:6900-7000
  401. [0:0] -A zone_pia_postrouting -m comment --comment "!fw3: Custom pia postrouting rule chain" -j postrouting_pia_rule
  402. [0:0] -A zone_pia_postrouting -m comment --comment "!fw3" -j MASQUERADE
  403. [0:0] -A zone_pia_prerouting -m comment --comment "!fw3: Custom pia prerouting rule chain" -j prerouting_pia_rule
  404. [15495:1182759] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
  405. [15493:1182679] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
  406. [15495:1182759] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
  407. [728:59270] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
  408. [0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 20:21 -m comment --comment "!fw3: Ftp-Rule1" -j DNAT --to-destination 10.0.0.100:20-21
  409. [0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 6900:7000 -m comment --comment "!fw3: Ftp-Rule2" -j DNAT --to-destination 10.0.0.100:6900-7000
  410. [726:59170] -A zone_wan_prerouting -j MINIUPNPD
  411. COMMIT
  412. # Completed on Tue Mar 23 20:11:48 2021
  413. # Generated by iptables-save v1.6.2 on Tue Mar 23 20:11:48 2021
  414. *mangle
  415. :PREROUTING ACCEPT [3601689:2587321999]
  416. :INPUT ACCEPT [1055584:166748171]
  417. :FORWARD ACCEPT [2545292:2420279840]
  418. :OUTPUT ACCEPT [2792625:2353232833]
  419. :POSTROUTING ACCEPT [5337851:4773509673]
  420. :VPR_MARK0x010000 - [0:0]
  421. :VPR_MARK0x020000 - [0:0]
  422. :VPR_MARK0x030000 - [0:0]
  423. :VPR_MARK0x040000 - [0:0]
  424. :VPR_PREROUTING - [0:0]
  425. [3601866:2587358446] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
  426. [4824:254528] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  427. [1979:102812] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  428. [0:0] -A FORWARD -o tun1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone pia MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  429. [0:0] -A FORWARD -i tun1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone pia MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  430. [15771:946260] -A FORWARD -o TEST_WG_PIA -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone TEST_PIA_WG MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  431. [10347:615900] -A FORWARD -i TEST_WG_PIA -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone TEST_PIA_WG MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  432. [0:0] -A VPR_MARK0x010000 -j MARK --set-xmark 0x10000/0xff0000
  433. [0:0] -A VPR_MARK0x010000 -j RETURN
  434. [0:0] -A VPR_MARK0x020000 -j MARK --set-xmark 0x20000/0xff0000
  435. [0:0] -A VPR_MARK0x020000 -j RETURN
  436. [0:0] -A VPR_MARK0x030000 -j MARK --set-xmark 0x30000/0xff0000
  437. [0:0] -A VPR_MARK0x030000 -j RETURN
  438. [1382987:2126917456] -A VPR_MARK0x040000 -j MARK --set-xmark 0x40000/0xff0000
  439. [1382987:2126917456] -A VPR_MARK0x040000 -j RETURN
  440. [0:0] -A VPR_PREROUTING -m set --match-set TEST_WG_PIA dst -g VPR_MARK0x040000
  441. [0:0] -A VPR_PREROUTING -m set --match-set VPN_SERVER dst -g VPR_MARK0x030000
  442. [0:0] -A VPR_PREROUTING -m set --match-set PIA_VPN dst -g VPR_MARK0x020000
  443. [0:0] -A VPR_PREROUTING -m set --match-set wan dst -g VPR_MARK0x010000
  444. [0:0] -A VPR_PREROUTING -d 10.8.0.0/24 -m comment --comment Ignore_Local_Requests_by_Destination -j RETURN
  445. [0:0] -A VPR_PREROUTING -s 10.0.0.100/32 -p tcp -m multiport --sports 20:21 -m comment --comment Ftp-Rule1 -g VPR_MARK0x010000
  446. [0:0] -A VPR_PREROUTING -s 10.0.0.100/32 -p udp -m multiport --sports 20:21 -m comment --comment Ftp-Rule1 -g VPR_MARK0x010000
  447. [0:0] -A VPR_PREROUTING -s 10.0.0.100/32 -p tcp -m multiport --sports 6900:7000 -m comment --comment Ftp-Rule2 -g VPR_MARK0x010000
  448. [0:0] -A VPR_PREROUTING -s 10.0.0.100/32 -p udp -m multiport --sports 6900:7000 -m comment --comment Ftp-Rule2 -g VPR_MARK0x010000
  449. [200499:441116785] -A VPR_PREROUTING -s 10.0.0.100/32 -p tcp -m comment --comment Nas -g VPR_MARK0x040000
  450. [1182488:1685800671] -A VPR_PREROUTING -s 10.0.0.100/32 -p udp -m comment --comment Nas -g VPR_MARK0x040000
  451. COMMIT
  452. # Completed on Tue Mar 23 20:11:48 2021
  453. # Generated by iptables-save v1.6.2 on Tue Mar 23 20:11:48 2021
  454. *filter
  455. :INPUT ACCEPT [1:44]
  456. :FORWARD ACCEPT [0:0]
  457. :OUTPUT ACCEPT [0:0]
  458. :MINIUPNPD - [0:0]
  459. :forwarding_TEST_PIA_WG_rule - [0:0]
  460. :forwarding_lan_rule - [0:0]
  461. :forwarding_pia_rule - [0:0]
  462. :forwarding_rule - [0:0]
  463. :forwarding_wan_rule - [0:0]
  464. :input_TEST_PIA_WG_rule - [0:0]
  465. :input_lan_rule - [0:0]
  466. :input_pia_rule - [0:0]
  467. :input_rule - [0:0]
  468. :input_wan_rule - [0:0]
  469. :output_TEST_PIA_WG_rule - [0:0]
  470. :output_lan_rule - [0:0]
  471. :output_pia_rule - [0:0]
  472. :output_rule - [0:0]
  473. :output_wan_rule - [0:0]
  474. :reject - [0:0]
  475. :syn_flood - [0:0]
  476. :zone_TEST_PIA_WG_dest_ACCEPT - [0:0]
  477. :zone_TEST_PIA_WG_dest_REJECT - [0:0]
  478. :zone_TEST_PIA_WG_forward - [0:0]
  479. :zone_TEST_PIA_WG_input - [0:0]
  480. :zone_TEST_PIA_WG_output - [0:0]
  481. :zone_TEST_PIA_WG_src_REJECT - [0:0]
  482. :zone_lan_dest_ACCEPT - [0:0]
  483. :zone_lan_forward - [0:0]
  484. :zone_lan_input - [0:0]
  485. :zone_lan_output - [0:0]
  486. :zone_lan_src_ACCEPT - [0:0]
  487. :zone_pia_dest_ACCEPT - [0:0]
  488. :zone_pia_dest_REJECT - [0:0]
  489. :zone_pia_forward - [0:0]
  490. :zone_pia_input - [0:0]
  491. :zone_pia_output - [0:0]
  492. :zone_pia_src_REJECT - [0:0]
  493. :zone_wan_dest_ACCEPT - [0:0]
  494. :zone_wan_dest_REJECT - [0:0]
  495. :zone_wan_forward - [0:0]
  496. :zone_wan_input - [0:0]
  497. :zone_wan_output - [0:0]
  498. :zone_wan_src_REJECT - [0:0]
  499. [8118:670506] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  500. [1047626:166104897] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  501. [1041285:165424312] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  502. [668:34452] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
  503. [0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
  504. [5574:618651] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
  505. [757:61422] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
  506. [0:0] -A INPUT -i tun1 -m comment --comment "!fw3" -j zone_pia_input
  507. [9:468] -A INPUT -i TEST_WG_PIA -m comment --comment "!fw3" -j zone_TEST_PIA_WG_input
  508. [0:0] -A FORWARD -d 10.0.0.100/32 -i TEST_WG_PIA -p tcp -m tcp --dport 51128 -j ACCEPT
  509. [795859:44717344] -A FORWARD -d 10.0.0.100/32 -i TEST_WG_PIA -p udp -m udp --dport 51128 -j ACCEPT
  510. [1749570:2375596283] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
  511. [1703191:2371107831] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  512. [0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
  513. [46379:4488452] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
  514. [0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
  515. [0:0] -A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_pia_forward
  516. [0:0] -A FORWARD -i TEST_WG_PIA -m comment --comment "!fw3" -j zone_TEST_PIA_WG_forward
  517. [8118:670506] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  518. [2784661:2352582989] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  519. [2766832:2349931837] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  520. [0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
  521. [3545:1690911] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
  522. [14038:939937] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
  523. [0:0] -A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_pia_output
  524. [246:20304] -A OUTPUT -o TEST_WG_PIA -m comment --comment "!fw3" -j zone_TEST_PIA_WG_output
  525. [0:0] -A MINIUPNPD -d 10.0.0.100/32 -p tcp -m tcp --dport 51128 -j ACCEPT
  526. [0:0] -A MINIUPNPD -d 10.0.0.100/32 -p udp -m udp --dport 51128 -j ACCEPT
  527. [527:49630] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  528. [236:12166] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
  529. [668:34452] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  530. [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
  531. [18:936] -A zone_TEST_PIA_WG_dest_ACCEPT -o TEST_WG_PIA -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  532. [34579:3269970] -A zone_TEST_PIA_WG_dest_ACCEPT -o TEST_WG_PIA -m comment --comment "!fw3" -j ACCEPT
  533. [0:0] -A zone_TEST_PIA_WG_dest_REJECT -o TEST_WG_PIA -m comment --comment "!fw3" -j reject
  534. [0:0] -A zone_TEST_PIA_WG_forward -m comment --comment "!fw3: Custom TEST_PIA_WG forwarding rule chain" -j forwarding_TEST_PIA_WG_rule
  535. [0:0] -A zone_TEST_PIA_WG_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  536. [0:0] -A zone_TEST_PIA_WG_forward -m comment --comment "!fw3" -j zone_TEST_PIA_WG_dest_REJECT
  537. [9:468] -A zone_TEST_PIA_WG_input -m comment --comment "!fw3: Custom TEST_PIA_WG input rule chain" -j input_TEST_PIA_WG_rule
  538. [0:0] -A zone_TEST_PIA_WG_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  539. [9:468] -A zone_TEST_PIA_WG_input -m comment --comment "!fw3" -j zone_TEST_PIA_WG_src_REJECT
  540. [246:20304] -A zone_TEST_PIA_WG_output -m comment --comment "!fw3: Custom TEST_PIA_WG output rule chain" -j output_TEST_PIA_WG_rule
  541. [246:20304] -A zone_TEST_PIA_WG_output -m comment --comment "!fw3" -j zone_TEST_PIA_WG_dest_ACCEPT
  542. [9:468] -A zone_TEST_PIA_WG_src_REJECT -i TEST_WG_PIA -m comment --comment "!fw3" -j reject
  543. [0:0] -A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
  544. [3545:1690911] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
  545. [46379:4488452] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
  546. [0:0] -A zone_lan_forward -p tcp -m tcp --dport 853 -m comment --comment "!fw3: ubus:simple-adblock[main] rule 1" -j reject
  547. [0:0] -A zone_lan_forward -p udp -m udp --dport 853 -m comment --comment "!fw3: ubus:simple-adblock[main] rule 1" -j reject
  548. [46379:4488452] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
  549. [34351:3250602] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to pia forwarding policy" -j zone_pia_dest_ACCEPT
  550. [34351:3250602] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to TEST_PIA_WG forwarding policy" -j zone_TEST_PIA_WG_dest_ACCEPT
  551. [0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  552. [0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  553. [5574:618651] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
  554. [154:9599] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  555. [5420:609052] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
  556. [3545:1690911] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
  557. [3545:1690911] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  558. [0:0] -A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  559. [5420:609052] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  560. [0:0] -A zone_pia_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  561. [0:0] -A zone_pia_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
  562. [0:0] -A zone_pia_dest_REJECT -o tun1 -m comment --comment "!fw3" -j reject
  563. [0:0] -A zone_pia_forward -m comment --comment "!fw3: Custom pia forwarding rule chain" -j forwarding_pia_rule
  564. [0:0] -A zone_pia_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  565. [0:0] -A zone_pia_forward -m comment --comment "!fw3" -j zone_pia_dest_REJECT
  566. [0:0] -A zone_pia_input -m comment --comment "!fw3: Custom pia input rule chain" -j input_pia_rule
  567. [0:0] -A zone_pia_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  568. [0:0] -A zone_pia_input -m comment --comment "!fw3" -j zone_pia_src_REJECT
  569. [0:0] -A zone_pia_output -m comment --comment "!fw3: Custom pia output rule chain" -j output_pia_rule
  570. [0:0] -A zone_pia_output -m comment --comment "!fw3" -j zone_pia_dest_ACCEPT
  571. [0:0] -A zone_pia_src_REJECT -i tun1 -m comment --comment "!fw3" -j reject
  572. [56:2420] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  573. [26010:2175367] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
  574. [0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
  575. [0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
  576. [0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
  577. [0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
  578. [0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  579. [0:0] -A zone_wan_forward -j MINIUPNPD
  580. [0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
  581. [757:61422] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
  582. [0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  583. [2:66] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  584. [0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
  585. [1:28] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN" -j ACCEPT
  586. [0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  587. [754:61328] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
  588. [14038:939937] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
  589. [14038:939937] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  590. [754:61328] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
  591. COMMIT
  592. # Completed on Tue Mar 23 20:11:48 2021
  593. root@OpenWrt:~#
  594.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement