Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- uci show firewall; iptables-save -c; ip6tables-save -c
- firewall.@defaults[0]=defaults
- firewall.@defaults[0].input='ACCEPT'
- firewall.@defaults[0].output='ACCEPT'
- firewall.@defaults[0].synflood_protect='1'
- firewall.@defaults[0].forward='ACCEPT'
- firewall.@zone[0]=zone
- firewall.@zone[0].name='lan'
- firewall.@zone[0].input='ACCEPT'
- firewall.@zone[0].output='ACCEPT'
- firewall.@zone[0].forward='ACCEPT'
- firewall.@zone[0].network='lan'
- firewall.@zone[1]=zone
- firewall.@zone[1].name='wan'
- firewall.@zone[1].output='ACCEPT'
- firewall.@zone[1].masq='1'
- firewall.@zone[1].mtu_fix='1'
- firewall.@zone[1].network='wan' 'wan6' 'wwan'
- firewall.@zone[1].input='ACCEPT'
- firewall.@zone[1].forward='ACCEPT'
- firewall.@forwarding[0]=forwarding
- firewall.@forwarding[0].src='lan'
- firewall.@forwarding[0].dest='wan'
- firewall.@rule[0]=rule
- firewall.@rule[0].name='Allow-DHCP-Renew'
- firewall.@rule[0].src='wan'
- firewall.@rule[0].proto='udp'
- firewall.@rule[0].dest_port='68'
- firewall.@rule[0].target='ACCEPT'
- firewall.@rule[0].family='ipv4'
- firewall.@rule[1]=rule
- firewall.@rule[1].name='Allow-Ping'
- firewall.@rule[1].src='wan'
- firewall.@rule[1].proto='icmp'
- firewall.@rule[1].icmp_type='echo-request'
- firewall.@rule[1].family='ipv4'
- firewall.@rule[1].target='ACCEPT'
- firewall.@rule[2]=rule
- firewall.@rule[2].name='Allow-IGMP'
- firewall.@rule[2].src='wan'
- firewall.@rule[2].proto='igmp'
- firewall.@rule[2].family='ipv4'
- firewall.@rule[2].target='ACCEPT'
- firewall.@rule[3]=rule
- firewall.@rule[3].name='Allow-DHCPv6'
- firewall.@rule[3].src='wan'
- firewall.@rule[3].proto='udp'
- firewall.@rule[3].src_ip='fc00::/6'
- firewall.@rule[3].dest_ip='fc00::/6'
- firewall.@rule[3].dest_port='546'
- firewall.@rule[3].family='ipv6'
- firewall.@rule[3].target='ACCEPT'
- firewall.@rule[4]=rule
- firewall.@rule[4].name='Allow-MLD'
- firewall.@rule[4].src='wan'
- firewall.@rule[4].proto='icmp'
- firewall.@rule[4].src_ip='fe80::/10'
- firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
- firewall.@rule[4].family='ipv6'
- firewall.@rule[4].target='ACCEPT'
- firewall.@rule[5]=rule
- firewall.@rule[5].name='Allow-ICMPv6-Input'
- firewall.@rule[5].src='wan'
- firewall.@rule[5].proto='icmp'
- firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
- firewall.@rule[5].limit='1000/sec'
- firewall.@rule[5].family='ipv6'
- firewall.@rule[5].target='ACCEPT'
- firewall.@rule[6]=rule
- firewall.@rule[6].name='Allow-ICMPv6-Forward'
- firewall.@rule[6].src='wan'
- firewall.@rule[6].dest='*'
- firewall.@rule[6].proto='icmp'
- firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
- firewall.@rule[6].limit='1000/sec'
- firewall.@rule[6].family='ipv6'
- firewall.@rule[6].target='ACCEPT'
- firewall.@rule[7]=rule
- firewall.@rule[7].name='Allow-IPSec-ESP'
- firewall.@rule[7].src='wan'
- firewall.@rule[7].dest='lan'
- firewall.@rule[7].proto='esp'
- firewall.@rule[7].target='ACCEPT'
- firewall.@rule[8]=rule
- firewall.@rule[8].name='Allow-ISAKMP'
- firewall.@rule[8].src='wan'
- firewall.@rule[8].dest='lan'
- firewall.@rule[8].dest_port='500'
- firewall.@rule[8].proto='udp'
- firewall.@rule[8].target='ACCEPT'
- firewall.@rule[9]=rule
- firewall.@rule[9].name='Support-UDP-Traceroute'
- firewall.@rule[9].src='wan'
- firewall.@rule[9].dest_port='33434:33689'
- firewall.@rule[9].proto='udp'
- firewall.@rule[9].family='ipv4'
- firewall.@rule[9].target='REJECT'
- firewall.@rule[9].enabled='0'
- firewall.@include[0]=include
- firewall.@include[0].path='/etc/firewall.user'
- firewall.@redirect[0]=redirect
- firewall.@redirect[0].target='DNAT'
- firewall.@redirect[0].name='Transparent Proxy Redirect'
- firewall.@redirect[0].src='lan'
- firewall.@redirect[0].proto='tcp'
- firewall.@redirect[0].dest_port='8888'
- firewall.@redirect[0].src_dport='80'
- firewall.@redirect[0].src_dip='!192.168.1.1'
- firewall.@redirect[0].dest='guest'
- firewall.@redirect[0].dest_ip='192.168.1.1'
- firewall.nat6=include
- firewall.nat6.path='/etc/firewall.nat6'
- firewall.nat6.reload='1'
- firewall.doh=ipset
- firewall.doh.name='doh'
- firewall.doh.family='ipv4'
- firewall.doh.storage='hash'
- firewall.doh.match='ip'
- firewall.doh6=ipset
- firewall.doh6.name='doh6'
- firewall.doh6.family='ipv6'
- firewall.doh6.storage='hash'
- firewall.doh6.match='ip'
- firewall.doh_fwd=rule
- firewall.doh_fwd.name='Deny-DoH'
- firewall.doh_fwd.src='lan'
- firewall.doh_fwd.dest='wan'
- firewall.doh_fwd.dest_port='443'
- firewall.doh_fwd.proto='tcp udp'
- firewall.doh_fwd.family='ipv4'
- firewall.doh_fwd.ipset='doh dest'
- firewall.doh_fwd.target='REJECT'
- firewall.doh6_fwd=rule
- firewall.doh6_fwd.name='Deny-DoH'
- firewall.doh6_fwd.src='lan'
- firewall.doh6_fwd.dest='wan'
- firewall.doh6_fwd.dest_port='443'
- firewall.doh6_fwd.proto='tcp udp'
- firewall.doh6_fwd.family='ipv6'
- firewall.doh6_fwd.ipset='doh6 dest'
- firewall.doh6_fwd.target='REJECT'
- firewall.dot_fwd=rule
- firewall.dot_fwd.name='Deny-DoT'
- firewall.dot_fwd.src='lan'
- firewall.dot_fwd.dest='wan'
- firewall.dot_fwd.dest_port='853'
- firewall.dot_fwd.proto='tcp udp'
- firewall.dot_fwd.target='REJECT'
- firewall.dns_masq=nat
- firewall.dns_masq.name='Masquerade-DNS'
- firewall.dns_masq.src='lan'
- firewall.dns_masq.dest_ip='192.168.1.96'
- firewall.dns_masq.dest_port='53'
- firewall.dns_masq.proto='tcp udp'
- firewall.dns_masq.target='MASQUERADE'
- firewall.guest=zone
- firewall.guest.name='guest'
- firewall.guest.network='guest'
- firewall.guest.output='ACCEPT'
- firewall.guest.input='ACCEPT'
- firewall.guest.forward='ACCEPT'
- firewall.guest_wan=forwarding
- firewall.guest_wan.src='guest'
- firewall.guest_wan.dest='wan'
- firewall.guest_wan.enabled='1'
- firewall.guest_dns=rule
- firewall.guest_dns.name='Allow-DNS-Guest'
- firewall.guest_dns.src='guest'
- firewall.guest_dns.dest_port='53'
- firewall.guest_dns.proto='tcp udp'
- firewall.guest_dns.target='ACCEPT'
- firewall.guest_dhcp=rule
- firewall.guest_dhcp.name='Allow-DHCP-Guest'
- firewall.guest_dhcp.src='guest'
- firewall.guest_dhcp.dest_port='67'
- firewall.guest_dhcp.proto='udp'
- firewall.guest_dhcp.family='ipv4'
- firewall.guest_dhcp.target='ACCEPT'
- firewall.tor=ipset
- firewall.tor.name='tor'
- firewall.tor.family='ipv4'
- firewall.tor.storage='hash'
- firewall.tor.match='net'
- firewall.tor.entry='127.0.0.0/8 nomatch' '192.168.2.1/24 nomatch' '0.0.0.0/1' '128.0.0.0/1'
- firewall.tor6=ipset
- firewall.tor6.name='tor6'
- firewall.tor6.family='ipv6'
- firewall.tor6.storage='hash'
- firewall.tor6.match='net'
- firewall.tor6.entry='::1/128 nomatch' 'fe80::/10 nomatch' ' nomatch' '::/1' '8000::/1'
- firewall.tcp_int=redirect
- firewall.tcp_int.name='Intercept-TCP'
- firewall.tcp_int.src='guest'
- firewall.tcp_int.dest_port='9040'
- firewall.tcp_int.proto='tcp'
- firewall.tcp_int.extra='--syn'
- firewall.tcp_int.ipset='tor dest'
- firewall.tcp_int.target='DNAT'
- firewall.@rule[15]=rule
- firewall.@rule[15].name='Allow-IGMP-Guest'
- firewall.@rule[15].src='guest'
- firewall.@rule[15].target='ACCEPT'
- firewall.@rule[15].proto='igmp'
- firewall.@rule[15].family='ipv4'
- firewall.miniupnpd=include
- firewall.miniupnpd.type='script'
- firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
- firewall.miniupnpd.family='any'
- firewall.miniupnpd.reload='1'
- firewall.proxy=ipset
- firewall.proxy.name='tor'
- firewall.proxy.family='ipv4'
- firewall.proxy.storage='hash'
- firewall.proxy.match='net'
- firewall.proxy.entry='127.0.0.0/8 nomatch' '192.168.1.1/24 nomatch' '0.0.0.0/1' '128.0.0.0/1'
- firewall.proxy6=ipset
- firewall.proxy6.name='tor6'
- firewall.proxy6.family='ipv6'
- firewall.proxy6.storage='hash'
- firewall.proxy6.match='net'
- firewall.proxy6.entry='::1/128 nomatch' 'fe80::/10 nomatch' 'fdb2:4498:a235::1/60 nomatch' '::/1' '8000::/1'
- firewall.proxy_int=redirect
- firewall.proxy_int.name='Proxy-Intercept'
- firewall.proxy_int.src='lan'
- firewall.proxy_int.dest_port='8888'
- firewall.proxy_int.proto='tcp'
- firewall.proxy_int.ipset='proxy dest'
- firewall.proxy_int.target='DNAT'
- # Generated by iptables-save v1.8.7 on Thu Sep 16 17:00:16 2021
- *nat
- :PREROUTING ACCEPT [476:77626]
- :INPUT ACCEPT [582:36421]
- :OUTPUT ACCEPT [161:16152]
- :POSTROUTING ACCEPT [140:12022]
- :postrouting_guest_rule - [0:0]
- :postrouting_lan_rule - [0:0]
- :postrouting_rule - [0:0]
- :postrouting_wan_rule - [0:0]
- :prerouting_guest_rule - [0:0]
- :prerouting_lan_rule - [0:0]
- :prerouting_rule - [0:0]
- :prerouting_wan_rule - [0:0]
- :zone_guest_postrouting - [0:0]
- :zone_guest_prerouting - [0:0]
- :zone_lan_postrouting - [0:0]
- :zone_lan_prerouting - [0:0]
- :zone_wan_postrouting - [0:0]
- :zone_wan_prerouting - [0:0]
- [835:96342] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
- [5:266] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
- [0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
- [302:63378] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wan_prerouting
- [528:32698] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
- [175:16184] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
- [12:827] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
- [0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
- [25:4955] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wan_postrouting
- [6:1192] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
- [6:1192] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
- [528:32698] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
- [359:18716] -A zone_guest_prerouting -p tcp -m set --match-set tor dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
- [12:827] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
- [0:0] -A zone_lan_postrouting -d 192.168.1.96/32 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Masquerade-DNS" -j MASQUERADE
- [12:827] -A zone_lan_postrouting -d 192.168.1.96/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: Masquerade-DNS" -j MASQUERADE
- [5:266] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
- [0:0] -A zone_lan_prerouting ! -d 192.168.1.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Transparent Proxy Redirect" -j DNAT --to-destination 192.168.1.1:8888
- [25:4955] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
- [25:4955] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
- [302:63378] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
- COMMIT
- # Completed on Thu Sep 16 17:00:16 2021
- # Generated by iptables-save v1.8.7 on Thu Sep 16 17:00:16 2021
- *mangle
- :PREROUTING ACCEPT [5256:1134084]
- :INPUT ACCEPT [4416:940486]
- :FORWARD ACCEPT [616:136005]
- :OUTPUT ACCEPT [4053:1591340]
- :POSTROUTING ACCEPT [4632:1725505]
- [0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [1:60] -A FORWARD -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [3:180] -A FORWARD -i wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- COMMIT
- # Completed on Thu Sep 16 17:00:16 2021
- # Generated by iptables-save v1.8.7 on Thu Sep 16 17:00:16 2021
- *filter
- :INPUT ACCEPT [12:564]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :forwarding_guest_rule - [0:0]
- :forwarding_lan_rule - [0:0]
- :forwarding_rule - [0:0]
- :forwarding_wan_rule - [0:0]
- :input_guest_rule - [0:0]
- :input_lan_rule - [0:0]
- :input_rule - [0:0]
- :input_wan_rule - [0:0]
- :output_guest_rule - [0:0]
- :output_lan_rule - [0:0]
- :output_rule - [0:0]
- :output_wan_rule - [0:0]
- :reject - [0:0]
- :syn_flood - [0:0]
- :zone_guest_dest_ACCEPT - [0:0]
- :zone_guest_forward - [0:0]
- :zone_guest_input - [0:0]
- :zone_guest_output - [0:0]
- :zone_guest_src_ACCEPT - [0:0]
- :zone_lan_dest_ACCEPT - [0:0]
- :zone_lan_forward - [0:0]
- :zone_lan_input - [0:0]
- :zone_lan_output - [0:0]
- :zone_lan_src_ACCEPT - [0:0]
- :zone_wan_dest_ACCEPT - [0:0]
- :zone_wan_dest_REJECT - [0:0]
- :zone_wan_forward - [0:0]
- :zone_wan_input - [0:0]
- :zone_wan_output - [0:0]
- :zone_wan_src_ACCEPT - [0:0]
- [1127:461626] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
- [3337:483216] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
- [2719:434463] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [491:25580] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
- [0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
- [0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
- [86:6181] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wan_input
- [519:41896] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
- [616:136005] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
- [595:133768] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [7:482] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
- [0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
- [0:0] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wan_forward
- [14:1755] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
- [1127:461626] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
- [2975:1135826] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
- [2898:1123691] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [17:1160] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
- [0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
- [48:8083] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wan_output
- [12:2892] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
- [0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
- [0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
- [478:24904] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
- [13:676] -A syn_flood -m comment --comment "!fw3" -j DROP
- [12:2892] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
- [14:1755] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
- [14:1755] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
- [0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
- [519:41896] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
- [0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
- [16:1090] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
- [0:0] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-Guest" -j ACCEPT
- [0:0] -A zone_guest_input -p igmp -m comment --comment "!fw3: Allow-IGMP-Guest" -j ACCEPT
- [347:18092] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [156:22714] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_ACCEPT
- [12:2892] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
- [12:2892] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
- [151:22514] -A zone_guest_src_ACCEPT -i br-guest -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [17:1160] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
- [7:482] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
- [0:0] -A zone_lan_forward -p tcp -m tcp --dport 443 -m set --match-set doh dst -m comment --comment "!fw3: Deny-DoH" -j zone_wan_dest_REJECT
- [0:0] -A zone_lan_forward -p udp -m udp --dport 443 -m set --match-set doh dst -m comment --comment "!fw3: Deny-DoH" -j zone_wan_dest_REJECT
- [0:0] -A zone_lan_forward -p tcp -m tcp --dport 853 -m comment --comment "!fw3: Deny-DoT" -j zone_wan_dest_REJECT
- [0:0] -A zone_lan_forward -p udp -m udp --dport 853 -m comment --comment "!fw3: Deny-DoT" -j zone_wan_dest_REJECT
- [7:482] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
- [0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
- [0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
- [17:1160] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
- [17:1160] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
- [37:1840] -A zone_wan_dest_ACCEPT -o wlan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [32:8480] -A zone_wan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_wan_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
- [0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- [0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
- [86:6181] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
- [0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
- [0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
- [2:64] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
- [0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- [84:6117] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
- [48:8083] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
- [48:8083] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
- [0:0] -A zone_wan_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [77:5753] -A zone_wan_src_ACCEPT -i wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- COMMIT
- # Completed on Thu Sep 16 17:00:16 2021
- # Generated by ip6tables-save v1.8.7 on Thu Sep 16 17:00:16 2021
- *nat
- :PREROUTING ACCEPT [122:91881]
- :INPUT ACCEPT [0:0]
- :OUTPUT ACCEPT [137:12396]
- :POSTROUTING ACCEPT [137:12396]
- :postrouting_guest_rule - [0:0]
- :postrouting_lan_rule - [0:0]
- :postrouting_rule - [0:0]
- :postrouting_wan_rule - [0:0]
- :prerouting_guest_rule - [0:0]
- :prerouting_lan_rule - [0:0]
- :prerouting_rule - [0:0]
- :prerouting_wan_rule - [0:0]
- :zone_guest_postrouting - [0:0]
- :zone_guest_prerouting - [0:0]
- :zone_lan_postrouting - [0:0]
- :zone_lan_prerouting - [0:0]
- :zone_wan_postrouting - [0:0]
- :zone_wan_prerouting - [0:0]
- [122:91881] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
- [0:0] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
- [0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
- [66:31105] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wan_prerouting
- [56:60776] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
- [137:12396] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
- [0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
- [2:296] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
- [0:0] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wan_postrouting
- [0:0] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
- [0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
- [56:60776] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
- [0:0] -A zone_guest_prerouting -p tcp -m set --match-set tor6 dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
- [0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
- [0:0] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
- [2:296] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
- [66:31105] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
- COMMIT
- # Completed on Thu Sep 16 17:00:16 2021
- # Generated by ip6tables-save v1.8.7 on Thu Sep 16 17:00:16 2021
- *mangle
- :PREROUTING ACCEPT [402:117017]
- :INPUT ACCEPT [276:24832]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [278:25128]
- :POSTROUTING ACCEPT [278:25128]
- [0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [0:0] -A FORWARD -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- [0:0] -A FORWARD -i wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- COMMIT
- # Completed on Thu Sep 16 17:00:16 2021
- # Generated by ip6tables-save v1.8.7 on Thu Sep 16 17:00:16 2021
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :forwarding_guest_rule - [0:0]
- :forwarding_lan_rule - [0:0]
- :forwarding_rule - [0:0]
- :forwarding_wan_rule - [0:0]
- :input_guest_rule - [0:0]
- :input_lan_rule - [0:0]
- :input_rule - [0:0]
- :input_wan_rule - [0:0]
- :output_guest_rule - [0:0]
- :output_lan_rule - [0:0]
- :output_rule - [0:0]
- :output_wan_rule - [0:0]
- :reject - [0:0]
- :syn_flood - [0:0]
- :zone_guest_dest_ACCEPT - [0:0]
- :zone_guest_forward - [0:0]
- :zone_guest_input - [0:0]
- :zone_guest_output - [0:0]
- :zone_guest_src_ACCEPT - [0:0]
- :zone_lan_dest_ACCEPT - [0:0]
- :zone_lan_forward - [0:0]
- :zone_lan_input - [0:0]
- :zone_lan_output - [0:0]
- :zone_lan_src_ACCEPT - [0:0]
- :zone_wan_dest_ACCEPT - [0:0]
- :zone_wan_dest_REJECT - [0:0]
- :zone_wan_forward - [0:0]
- :zone_wan_input - [0:0]
- :zone_wan_output - [0:0]
- :zone_wan_src_ACCEPT - [0:0]
- [276:24832] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
- [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
- [0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
- [0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
- [0:0] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wan_input
- [0:0] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
- [0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
- [0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
- [0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
- [0:0] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wan_forward
- [0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
- [276:24832] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
- [2:296] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
- [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
- [2:296] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
- [0:0] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wan_output
- [0:0] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
- [0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
- [0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
- [0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
- [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
- [0:0] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
- [0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
- [0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
- [0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
- [0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
- [0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
- [0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_ACCEPT
- [0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
- [0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
- [0:0] -A zone_guest_src_ACCEPT -i br-guest -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
- [0:0] -A zone_lan_forward -p tcp -m tcp --dport 443 -m set --match-set doh6 dst -m comment --comment "!fw3: Deny-DoH" -j zone_wan_dest_REJECT
- [0:0] -A zone_lan_forward -p udp -m udp --dport 443 -m set --match-set doh6 dst -m comment --comment "!fw3: Deny-DoH" -j zone_wan_dest_REJECT
- [0:0] -A zone_lan_forward -p tcp -m tcp --dport 853 -m comment --comment "!fw3: Deny-DoT" -j zone_wan_dest_REJECT
- [0:0] -A zone_lan_forward -p udp -m udp --dport 853 -m comment --comment "!fw3: Deny-DoT" -j zone_wan_dest_REJECT
- [0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
- [0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
- [0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
- [0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
- [0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [2:296] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_wan_dest_ACCEPT -o wlan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- [0:0] -A zone_wan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_wan_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
- [0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
- [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- [0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- [0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
- [0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
- [0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
- [0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
- [0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
- [0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
- [0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
- [0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
- [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- [0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- [0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
- [2:296] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
- [2:296] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
- [0:0] -A zone_wan_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- [0:0] -A zone_wan_src_ACCEPT -i wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- COMMIT
- # Completed on Thu Sep 16 17:00:16 2021
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement