OpenWrt WHITE RUSSIAN (0.9) S35firewall script

1. #!/bin/sh
2.  
3. ## Please make changes in /etc/firewall.user
4.  
5. . /etc/functions.sh
6. WAN="$(nvram get wan_ifname)"
7. WANDEV="$(nvram get wan_device)"
8. LAN="$(nvram get lan_ifname)"
9.  
10. ## CLEAR TABLES
11. for T in filter nat; do
12.   iptables -t $T -F
13.   iptables -t $T -X
14. done
15.  
16. iptables -N input_rule
17. iptables -N input_wan
18. iptables -N output_rule
19. iptables -N forwarding_rule
20. iptables -N forwarding_wan
21.  
22. iptables -t nat -N NEW
23. iptables -t nat -N prerouting_wan
24. iptables -t nat -N prerouting_rule
25. iptables -t nat -N postrouting_rule
26.  
27. iptables -N LAN_ACCEPT
28. [ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
29. [ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
30. iptables -A LAN_ACCEPT -j ACCEPT
31.  
32. ### INPUT
33. ###  (connections with the router as destination)
34.  
35.   # base case
36.   iptables -P INPUT DROP
37.   iptables -A INPUT -m state --state INVALID -j DROP
38.   iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
39.   iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP
40.  
41.   #
42.   # insert accept rule or to jump to new accept-check table here
43.   #
44.   iptables -A INPUT -j input_rule
45.   iptables -A INPUT -i $WAN -j input_wan
46.  
47.   # allow
48.   iptables -A INPUT -j LAN_ACCEPT   # allow from lan/wifi interfaces
49.   iptables -A INPUT -p icmp -j ACCEPT   # allow ICMP
50.   iptables -A INPUT -p gre  -j ACCEPT   # allow GRE
51.  
52.   # reject (what to do with anything not allowed earlier)
53.   iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
54.   iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
55.  
56. ### OUTPUT
57. ### (connections with the router as source)
58.  
59.   # base case
60.   iptables -P OUTPUT DROP
61.   iptables -A OUTPUT -m state --state INVALID -j DROP
62.   iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
63.  
64.   #
65.   # insert accept rule or to jump to new accept-check table here
66.   #
67.   iptables -A OUTPUT -j output_rule
68.  
69.   # allow
70.   iptables -A OUTPUT -j ACCEPT      #allow everything out
71.  
72.   # reject (what to do with anything not allowed earlier)
73.   iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
74.   iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
75.  
76. ### FORWARDING
77. ### (connections routed through the router)
78.  
79.   # base case
80.   iptables -P FORWARD DROP
81.   iptables -A FORWARD -m state --state INVALID -j DROP
82.   iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
83.   iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
84.  
85.   #
86.   # insert accept rule or to jump to new accept-check table here
87.   #
88.   iptables -A FORWARD -j forwarding_rule
89.   iptables -A FORWARD -i $WAN -j forwarding_wan
90.  
91.   # allow
92.   iptables -A FORWARD -i br0 -o br0 -j ACCEPT
93.   iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
94.  
95.   # reject (what to do with anything not allowed earlier)
96.   # uses the default -P DROP
97.  
98. ### MASQ
99.   iptables -t nat -A PREROUTING -m state --state NEW -j NEW
100.   iptables -t nat -A PREROUTING -j prerouting_rule
101.   iptables -t nat -A PREROUTING -i $WAN -j prerouting_wan
102.  
103.   iptables -t nat -A POSTROUTING -j postrouting_rule
104.   iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
105.  
106.   iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
107.     iptables -t nat -A NEW -j DROP
108.  
109. ## USER RULES
110. [ -f /etc/firewall.user ] && . /etc/firewall.user
111. [ -e /etc/config/firewall ] && {
112.     awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
113. }
114.  
115.