Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- https://openwrt.org/docs/guide-user/services/dns/intercept
- Firewall:
- Warning: Unable to locate ipset utility, disabling ipset support
- * Flushing IPv4 filter table
- * Flushing IPv4 nat table
- * Flushing IPv4 mangle table
- * Flushing IPv6 filter table
- * Flushing IPv6 nat table
- * Flushing IPv6 mangle table
- * Flushing conntrack table ...
- * Populating IPv4 filter table
- * Rule 'Allow-DHCP-Renew'
- * Rule 'Allow-Ping'
- * Rule 'Allow-IGMP'
- * Rule 'Allow-IPSec-ESP'
- * Rule 'Allow-ISAKMP'
- * Redirect 'Intercept-DNS'
- * Forward 'lan' -> 'wan'
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv4 nat table
- * Redirect 'Intercept-DNS'
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv4 mangle table
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv6 filter table
- * Rule 'Allow-DHCPv6'
- * Rule 'Allow-MLD'
- * Rule 'Allow-ICMPv6-Input'
- * Rule 'Allow-ICMPv6-Forward'
- * Rule 'Allow-IPSec-ESP'
- * Rule 'Allow-ISAKMP'
- * Forward 'lan' -> 'wan'
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv6 nat table
- Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv6 mangle table
- * Zone 'lan'
- * Zone 'wan'
- * Set tcp_ecn to off
- * Set tcp_syncookies to on
- * Set tcp_window_scaling to on
- * Running script '/etc/firewall.user'
- * Running script '/etc/firewall.nat6'
- NAT6:
- Warning: Unable to locate ipset utility, disabling ipset support
- * Flushing IPv4 filter table
- * Flushing IPv4 nat table
- * Flushing IPv4 mangle table
- * Flushing IPv6 filter table
- * Flushing IPv6 nat table
- * Flushing IPv6 mangle table
- * Flushing conntrack table ...
- * Populating IPv4 filter table
- * Rule 'Allow-DHCP-Renew'
- * Rule 'Allow-Ping'
- * Rule 'Allow-IGMP'
- * Rule 'Allow-IPSec-ESP'
- * Rule 'Allow-ISAKMP'
- * Redirect 'Intercept-DNS'
- * Forward 'lan' -> 'wan'
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv4 nat table
- * Redirect 'Intercept-DNS'
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv4 mangle table
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv6 filter table
- * Rule 'Allow-DHCPv6'
- * Rule 'Allow-MLD'
- * Rule 'Allow-ICMPv6-Input'
- * Rule 'Allow-ICMPv6-Forward'
- * Rule 'Allow-IPSec-ESP'
- * Rule 'Allow-ISAKMP'
- * Forward 'lan' -> 'wan'
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv6 nat table
- Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv6 mangle table
- * Zone 'lan'
- * Zone 'wan'
- * Set tcp_ecn to off
- * Set tcp_syncookies to on
- * Set tcp_window_scaling to on
- * Running script '/etc/firewall.user'
- * Running script '/etc/firewall.nat6'
- firewall restart:
- /etc/init.d/firewall restart
- Warning: Unable to locate ipset utility, disabling ipset support
- * Flushing IPv4 filter table
- * Flushing IPv4 nat table
- * Flushing IPv4 mangle table
- * Flushing IPv6 filter table
- * Flushing IPv6 nat table
- * Flushing IPv6 mangle table
- * Flushing conntrack table ...
- * Populating IPv4 filter table
- * Rule 'Allow-DHCP-Renew'
- * Rule 'Allow-Ping'
- * Rule 'Allow-IGMP'
- * Rule 'Allow-IPSec-ESP'
- * Rule 'Allow-ISAKMP'
- * Redirect 'Intercept-DNS'
- * Forward 'lan' -> 'wan'
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv4 nat table
- * Redirect 'Intercept-DNS'
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv4 mangle table
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv6 filter table
- * Rule 'Allow-DHCPv6'
- * Rule 'Allow-MLD'
- * Rule 'Allow-ICMPv6-Input'
- * Rule 'Allow-ICMPv6-Forward'
- * Rule 'Allow-IPSec-ESP'
- * Rule 'Allow-ISAKMP'
- * Forward 'lan' -> 'wan'
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv6 nat table
- Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
- Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
- * Zone 'lan'
- * Zone 'wan'
- * Populating IPv6 mangle table
- * Zone 'lan'
- * Zone 'wan'
- * Set tcp_ecn to off
- * Set tcp_syncookies to on
- * Set tcp_window_scaling to on
- * Running script '/etc/firewall.user'
- * Running script '/etc/firewall.nat6'
- iptables-save:
- # Generated by iptables-save v1.6.2 on Sun Nov 10 07:02:06 2019
- *nat
- :PREROUTING ACCEPT [100:9439]
- :INPUT ACCEPT [103:6805]
- :OUTPUT ACCEPT [20:1360]
- :POSTROUTING ACCEPT [2:160]
- :postrouting_lan_rule - [0:0]
- :postrouting_rule - [0:0]
- :postrouting_wan_rule - [0:0]
- :prerouting_lan_rule - [0:0]
- :prerouting_rule - [0:0]
- :prerouting_wan_rule - [0:0]
- :zone_lan_postrouting - [0:0]
- :zone_lan_prerouting - [0:0]
- :zone_wan_postrouting - [0:0]
- :zone_wan_prerouting - [0:0]
- -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
- -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
- -A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
- -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
- -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
- -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
- -A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
- -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
- -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
- -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
- -A zone_lan_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 53
- -A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 53
- -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
- -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
- -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
- COMMIT
- # Completed on Sun Nov 10 07:02:06 2019
- # Generated by iptables-save v1.6.2 on Sun Nov 10 07:02:06 2019
- *mangle
- :PREROUTING ACCEPT [801:151133]
- :INPUT ACCEPT [309:30331]
- :FORWARD ACCEPT [472:119970]
- :OUTPUT ACCEPT [312:48140]
- :POSTROUTING ACCEPT [775:167750]
- -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- COMMIT
- # Completed on Sun Nov 10 07:02:06 2019
- # Generated by iptables-save v1.6.2 on Sun Nov 10 07:02:06 2019
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [0:0]
- :forwarding_lan_rule - [0:0]
- :forwarding_rule - [0:0]
- :forwarding_wan_rule - [0:0]
- :input_lan_rule - [0:0]
- :input_rule - [0:0]
- :input_wan_rule - [0:0]
- :output_lan_rule - [0:0]
- :output_rule - [0:0]
- :output_wan_rule - [0:0]
- :reject - [0:0]
- :syn_flood - [0:0]
- :zone_lan_dest_ACCEPT - [0:0]
- :zone_lan_forward - [0:0]
- :zone_lan_input - [0:0]
- :zone_lan_output - [0:0]
- :zone_lan_src_ACCEPT - [0:0]
- :zone_wan_dest_ACCEPT - [0:0]
- :zone_wan_dest_REJECT - [0:0]
- :zone_wan_forward - [0:0]
- :zone_wan_input - [0:0]
- :zone_wan_output - [0:0]
- :zone_wan_src_REJECT - [0:0]
- -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
- -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
- -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
- -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
- -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
- -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
- -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
- -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
- -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
- -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
- -A FORWARD -m comment --comment "!fw3" -j reject
- -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
- -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
- -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
- -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
- -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
- -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
- -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
- -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
- -A syn_flood -m comment --comment "!fw3" -j DROP
- -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
- -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
- -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
- -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
- -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
- -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
- -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
- -A zone_wan_dest_REJECT -o br-wan -m comment --comment "!fw3" -j reject
- -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
- -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
- -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
- -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
- -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
- -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
- -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
- -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
- -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
- -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
- -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
- -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
- -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
- -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
- -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
- COMMIT
- # Completed on Sun Nov 10 07:02:06 2019
- ip6tables-save:
- # Generated by ip6tables-save v1.6.2 on Sun Nov 10 07:02:51 2019
- *nat
- :PREROUTING ACCEPT [14:4830]
- :INPUT ACCEPT [35:3045]
- :OUTPUT ACCEPT [2:286]
- :POSTROUTING ACCEPT [2:286]
- :postrouting_lan_rule - [0:0]
- :postrouting_rule - [0:0]
- :postrouting_wan_rule - [0:0]
- :prerouting_lan_rule - [0:0]
- :prerouting_rule - [0:0]
- :prerouting_wan_rule - [0:0]
- :zone_lan_postrouting - [0:0]
- :zone_lan_prerouting - [0:0]
- :zone_wan_postrouting - [0:0]
- :zone_wan_prerouting - [0:0]
- -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
- -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
- -A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
- -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
- -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
- -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
- -A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
- -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
- -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
- -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
- -A zone_lan_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 53
- -A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 53
- -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
- -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
- COMMIT
- # Completed on Sun Nov 10 07:02:51 2019
- # Generated by ip6tables-save v1.6.2 on Sun Nov 10 07:02:51 2019
- *mangle
- :PREROUTING ACCEPT [76:9921]
- :INPUT ACCEPT [52:4271]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [52:9562]
- :POSTROUTING ACCEPT [52:9562]
- -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- COMMIT
- # Completed on Sun Nov 10 07:02:51 2019
- # Generated by ip6tables-save v1.6.2 on Sun Nov 10 07:02:51 2019
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [0:0]
- :forwarding_lan_rule - [0:0]
- :forwarding_rule - [0:0]
- :forwarding_wan_rule - [0:0]
- :input_lan_rule - [0:0]
- :input_rule - [0:0]
- :input_wan_rule - [0:0]
- :output_lan_rule - [0:0]
- :output_rule - [0:0]
- :output_wan_rule - [0:0]
- :reject - [0:0]
- :syn_flood - [0:0]
- :zone_lan_dest_ACCEPT - [0:0]
- :zone_lan_forward - [0:0]
- :zone_lan_input - [0:0]
- :zone_lan_output - [0:0]
- :zone_lan_src_ACCEPT - [0:0]
- :zone_wan_dest_ACCEPT - [0:0]
- :zone_wan_dest_REJECT - [0:0]
- :zone_wan_forward - [0:0]
- :zone_wan_input - [0:0]
- :zone_wan_output - [0:0]
- :zone_wan_src_REJECT - [0:0]
- -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
- -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
- -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
- -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
- -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
- -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
- -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
- -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
- -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
- -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
- -A FORWARD -m comment --comment "!fw3" -j reject
- -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
- -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
- -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
- -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
- -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
- -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
- -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
- -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
- -A syn_flood -m comment --comment "!fw3" -j DROP
- -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
- -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
- -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
- -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
- -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
- -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
- -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
- -A zone_wan_dest_REJECT -o br-wan -m comment --comment "!fw3" -j reject
- -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
- -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
- -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
- -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
- -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
- -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
- -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
- -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
- -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
- -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
- -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
- -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
- -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
- -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
- -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
- -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
- -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
- -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
- COMMIT
- # Completed on Sun Nov 10 07:02:51 2019
- uci show firewall:
- root@OpenWrt:~# uci show firewall
- firewall.@defaults[0]=defaults
- firewall.@defaults[0].syn_flood='1'
- firewall.@defaults[0].input='ACCEPT'
- firewall.@defaults[0].output='ACCEPT'
- firewall.@defaults[0].forward='REJECT'
- firewall.@zone[0]=zone
- firewall.@zone[0].name='lan'
- firewall.@zone[0].network='lan'
- firewall.@zone[0].input='ACCEPT'
- firewall.@zone[0].output='ACCEPT'
- firewall.@zone[0].forward='ACCEPT'
- firewall.@zone[1]=zone
- firewall.@zone[1].name='wan'
- firewall.@zone[1].network='wan' 'wan6'
- firewall.@zone[1].input='REJECT'
- firewall.@zone[1].output='ACCEPT'
- firewall.@zone[1].forward='REJECT'
- firewall.@zone[1].masq='1'
- firewall.@zone[1].mtu_fix='1'
- firewall.@forwarding[0]=forwarding
- firewall.@forwarding[0].src='lan'
- firewall.@forwarding[0].dest='wan'
- firewall.@rule[0]=rule
- firewall.@rule[0].name='Allow-DHCP-Renew'
- firewall.@rule[0].src='wan'
- firewall.@rule[0].proto='udp'
- firewall.@rule[0].dest_port='68'
- firewall.@rule[0].target='ACCEPT'
- firewall.@rule[0].family='ipv4'
- firewall.@rule[1]=rule
- firewall.@rule[1].name='Allow-Ping'
- firewall.@rule[1].src='wan'
- firewall.@rule[1].proto='icmp'
- firewall.@rule[1].icmp_type='echo-request'
- firewall.@rule[1].family='ipv4'
- firewall.@rule[1].target='ACCEPT'
- firewall.@rule[2]=rule
- firewall.@rule[2].name='Allow-IGMP'
- firewall.@rule[2].src='wan'
- firewall.@rule[2].proto='igmp'
- firewall.@rule[2].family='ipv4'
- firewall.@rule[2].target='ACCEPT'
- firewall.@rule[3]=rule
- firewall.@rule[3].name='Allow-DHCPv6'
- firewall.@rule[3].src='wan'
- firewall.@rule[3].proto='udp'
- firewall.@rule[3].src_ip='fc00::/6'
- firewall.@rule[3].dest_ip='fc00::/6'
- firewall.@rule[3].dest_port='546'
- firewall.@rule[3].family='ipv6'
- firewall.@rule[3].target='ACCEPT'
- firewall.@rule[4]=rule
- firewall.@rule[4].name='Allow-MLD'
- firewall.@rule[4].src='wan'
- firewall.@rule[4].proto='icmp'
- firewall.@rule[4].src_ip='fe80::/10'
- firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
- firewall.@rule[4].family='ipv6'
- firewall.@rule[4].target='ACCEPT'
- firewall.@rule[5]=rule
- firewall.@rule[5].name='Allow-ICMPv6-Input'
- firewall.@rule[5].src='wan'
- firewall.@rule[5].proto='icmp'
- firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
- firewall.@rule[5].limit='1000/sec'
- firewall.@rule[5].family='ipv6'
- firewall.@rule[5].target='ACCEPT'
- firewall.@rule[6]=rule
- firewall.@rule[6].name='Allow-ICMPv6-Forward'
- firewall.@rule[6].src='wan'
- firewall.@rule[6].dest='*'
- firewall.@rule[6].proto='icmp'
- firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
- firewall.@rule[6].limit='1000/sec'
- firewall.@rule[6].family='ipv6'
- firewall.@rule[6].target='ACCEPT'
- firewall.@rule[7]=rule
- firewall.@rule[7].name='Allow-IPSec-ESP'
- firewall.@rule[7].src='wan'
- firewall.@rule[7].dest='lan'
- firewall.@rule[7].proto='esp'
- firewall.@rule[7].target='ACCEPT'
- firewall.@rule[8]=rule
- firewall.@rule[8].name='Allow-ISAKMP'
- firewall.@rule[8].src='wan'
- firewall.@rule[8].dest='lan'
- firewall.@rule[8].dest_port='500'
- firewall.@rule[8].proto='udp'
- firewall.@rule[8].target='ACCEPT'
- firewall.@include[0]=include
- firewall.@include[0].path='/etc/firewall.user'
- firewall.dns_int=redirect
- firewall.dns_int.name='Intercept-DNS'
- firewall.dns_int.src='lan'
- firewall.dns_int.src_dport='53'
- firewall.dns_int.family='ipv4'
- firewall.dns_int.proto='tcpudp'
- firewall.dns_int.target='DNAT'
- firewall.nat6=include
- firewall.nat6.path='/etc/firewall.nat6'
- firewall.nat6.reload='1'
- root@OpenWrt:~# uci show firewall
- firewall.@defaults[0]=defaults
- firewall.@defaults[0].syn_flood='1'
- firewall.@defaults[0].input='ACCEPT'
- firewall.@defaults[0].output='ACCEPT'
- firewall.@defaults[0].forward='REJECT'
- firewall.@zone[0]=zone
- firewall.@zone[0].name='lan'
- firewall.@zone[0].network='lan'
- firewall.@zone[0].input='ACCEPT'
- firewall.@zone[0].output='ACCEPT'
- firewall.@zone[0].forward='ACCEPT'
- firewall.@zone[1]=zone
- firewall.@zone[1].name='wan'
- firewall.@zone[1].network='wan' 'wan6'
- firewall.@zone[1].input='REJECT'
- firewall.@zone[1].output='ACCEPT'
- firewall.@zone[1].forward='REJECT'
- firewall.@zone[1].masq='1'
- firewall.@zone[1].mtu_fix='1'
- firewall.@forwarding[0]=forwarding
- firewall.@forwarding[0].src='lan'
- firewall.@forwarding[0].dest='wan'
- firewall.@rule[0]=rule
- firewall.@rule[0].name='Allow-DHCP-Renew'
- firewall.@rule[0].src='wan'
- firewall.@rule[0].proto='udp'
- firewall.@rule[0].dest_port='68'
- firewall.@rule[0].target='ACCEPT'
- firewall.@rule[0].family='ipv4'
- firewall.@rule[1]=rule
- firewall.@rule[1].name='Allow-Ping'
- firewall.@rule[1].src='wan'
- firewall.@rule[1].proto='icmp'
- firewall.@rule[1].icmp_type='echo-request'
- firewall.@rule[1].family='ipv4'
- firewall.@rule[1].target='ACCEPT'
- firewall.@rule[2]=rule
- firewall.@rule[2].name='Allow-IGMP'
- firewall.@rule[2].src='wan'
- firewall.@rule[2].proto='igmp'
- firewall.@rule[2].family='ipv4'
- firewall.@rule[2].target='ACCEPT'
- firewall.@rule[3]=rule
- firewall.@rule[3].name='Allow-DHCPv6'
- firewall.@rule[3].src='wan'
- firewall.@rule[3].proto='udp'
- firewall.@rule[3].src_ip='fc00::/6'
- firewall.@rule[3].dest_ip='fc00::/6'
- firewall.@rule[3].dest_port='546'
- firewall.@rule[3].family='ipv6'
- firewall.@rule[3].target='ACCEPT'
- firewall.@rule[4]=rule
- firewall.@rule[4].name='Allow-MLD'
- firewall.@rule[4].src='wan'
- firewall.@rule[4].proto='icmp'
- firewall.@rule[4].src_ip='fe80::/10'
- firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
- firewall.@rule[4].family='ipv6'
- firewall.@rule[4].target='ACCEPT'
- firewall.@rule[5]=rule
- firewall.@rule[5].name='Allow-ICMPv6-Input'
- firewall.@rule[5].src='wan'
- firewall.@rule[5].proto='icmp'
- firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
- firewall.@rule[5].limit='1000/sec'
- firewall.@rule[5].family='ipv6'
- firewall.@rule[5].target='ACCEPT'
- firewall.@rule[6]=rule
- firewall.@rule[6].name='Allow-ICMPv6-Forward'
- firewall.@rule[6].src='wan'
- firewall.@rule[6].dest='*'
- firewall.@rule[6].proto='icmp'
- firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
- firewall.@rule[6].limit='1000/sec'
- firewall.@rule[6].family='ipv6'
- firewall.@rule[6].target='ACCEPT'
- firewall.@rule[7]=rule
- firewall.@rule[7].name='Allow-IPSec-ESP'
- firewall.@rule[7].src='wan'
- firewall.@rule[7].dest='lan'
- firewall.@rule[7].proto='esp'
- firewall.@rule[7].target='ACCEPT'
- firewall.@rule[8]=rule
- firewall.@rule[8].name='Allow-ISAKMP'
- firewall.@rule[8].src='wan'
- firewall.@rule[8].dest='lan'
- firewall.@rule[8].dest_port='500'
- firewall.@rule[8].proto='udp'
- firewall.@rule[8].target='ACCEPT'
- firewall.@include[0]=include
- firewall.@include[0].path='/etc/firewall.user'
- firewall.dns_int=redirect
- firewall.dns_int.name='Intercept-DNS'
- firewall.dns_int.src='lan'
- firewall.dns_int.src_dport='53'
- firewall.dns_int.family='ipv4'
- firewall.dns_int.proto='tcpudp'
- firewall.dns_int.target='DNAT'
- firewall.nat6=include
- firewall.nat6.path='/etc/firewall.nat6'
- firewall.nat6.reload='1'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement